Horabot malware presents threats to Spanish users in LATAM

Cybersecurity analysts have uncovered a previously unknown campaign that has been wreaking havoc among Spanish-speaking users in Latin America since November 2020. This alarming operation, driven by the Horabot botnet malware, has infected unsuspecting victims with a dangerous banking trojan and spam tool.

Its sophisticated capabilities allow the operators to gain control over popular email platforms such as Gmail, Outlook, Hotmail, and Yahoo, enabling them to steal sensitive email data and intercept two-factor authentication (2FA) codes.

Even more concerning, the compromised accounts are then weaponised to propagate phishing emails. The origin of this malicious campaign is believed to be based in Brazil, casting a shadow over the digital landscape of Latin America.

 

The intricate web of Horabot malware infection begins with a tax-themed phishing email that lures the target into opening an HTML attachment disguised as a payment receipt.

 

This innocent act triggers a series of URL redirections, ultimately leading the victim to an HTML page hosted on an AWS instance controlled by the attacker.

Victims will unwittingly click on a hyperlink, initiating the download of a RAR archive housing a batch file with a CMD extension. This file, in turn, retrieves a PowerShell script that acts as a gateway to fetch trojan DLLs and a collection of legitimate executables from the command and control (C2) server.

These trojans stealthily execute their tasks, fetching the final payloads from another C2 server. Among them are a PowerShell downloader script and the notorious Horabot binary, completing the malicious arsenal.

Within the downloaded ZIP archive, a significant component named “jli.dll” emerges as a banking trojan coded in Delphi, adept at exploiting various system information such as language settings, disk size, antivirus software, hostname, operating system version, and IP address, along with capturing user credentials and activity data.

The trojan extends its reach by granting remote access privileges to its operators, enabling actions like file manipulation, and encompassing intrusive functionalities such as keylogging, capturing screenshots, and tracking mouse events.

Furthermore, the trojan cleverly overlays a counterfeit window when opening an application, forcing victims to divulge sensitive information like online banking credentials or one-time codes. All the harvested data is swiftly transmitted to the attacker’s command and control server through HTTP POST requests.

The trojan incorporates several built-in anti-analysis mechanisms in evading detection, thwarting sandbox environments and debugger tools. Another component within the ZIP archive is an encrypted spam tool DLL dubbed “_upyqta2_J.mdat,” primarily designed to steal credentials from popular webmail services like Gmail, Hotmail, and Yahoo.

Once the tool successfully compromises the credentials, it hijacks the victim’s email account, generating spam emails and distributing them randomly to contacts within the victim’s mailbox, thus amplifying the infection.

Interestingly, this tool’s functionalities overlap with the banking trojan, including keylogging, screenshot capturing, and interception/tracking of mouse events, potentially serving as a redundancy measure.

At the core of this malicious campaign lies Horabot, a PowerShell-based botnet malware that deploys its primary payload onto the victim’s system. It specifically targets Outlook mailboxes to steal contacts and unleash phishing emails containing perilous HTML attachments.

The malware effectively hijacks the victim’s desktop Outlook application, meticulously scouring the address book and contacts within the mailbox. After initialisation, the Horabot script diligently locates Outlook data files within the victim’s profile’s application data folder.

It systematically scans all folders and emails, extracting email addresses from the sender, recipients, CC, and BCC fields. These extracted addresses are then compiled into an “.Outlook” file, encoded, and discreetly exfiltrated to the command and control (C2) server.

The Horabot malware also creates a local HTML file, populating it with content sourced from an external resource, and sends individualised phishing emails to all the harvested email addresses. Once the phishing email distribution concludes, the malware systematically eradicates all locally created files and folders to eliminate any traces of its activity.

While the Horabot campaign has predominantly focused on targeting users in Mexico, Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama, it is crucial to recognise the potential for these threat actors, either independently or in collaboration, to expand their operations into other markets at any given time.

Users must remain vigilant in the face of evolving cyber threats, as the possibility of phishing themes written in English could emerge as a new tactic employed by these malicious actors. Continuous monitoring and robust security measures are necessary to safeguard users and mitigate the potential impact of such expanding campaigns.