New Botnet Malware ‘Horabot’ Targets Spanish-Speaking Users in Latin America
Spanish-speaking users in Latin America have received a new botnet malware dubbed Horabot at least since November 2020.
“Horabot allows threat actors to control the victim’s Outlook mailbox, extract contact email addresses, and send phishing emails with malicious HTML attachments to all addresses in the victim’s mailbox,” Cisco Talos researcher Chetan Raghuprasad said.
The botnet program also features Windows-based financial trojans and spam tools to harvest online banking credentials and infiltrate Gmail, Outlook and Yahoo! webmail account to blow up spam emails.
The cybersecurity firm said most of the infections were in Mexico, with limited victims identified in Uruguay, Brazil, Venezuela, Argentina, Guatemala and Panama. The threat actor behind the campaign is believed to be in Brazil.
Targeted users from the ongoing campaign mainly include accounting, construction and engineering, wholesale distribution, and investment verticals, although it is suspected that other sectors in the region could also be affected.
The attack begins with a phishing email containing a tax-themed lure that entices recipients to open an HTML attachment, which, in turn, embeds a link containing a RAR archive.
Opening the file contents results in the execution of the PowerShell downloader script which is responsible for fetching the ZIP file containing the main payload from the remote server and rebooting the machine.
System restarts also serve as launch pads for banking trojans and spam tools, allowing threat actors to steal data, log keystrokes, capture screenshots, and spread additional phishing emails to victims’ contacts.
“The campaign involved a multi-stage attack chain that started with a phishing email and led to delivery of the payload via the execution of a PowerShell downloader script and sideloading it to a legitimate executable,” said Raghuprasad.
The banking trojan is a 32-bit Windows DLL written in the Delphi programming language, and it shares overlap with other Brazilian malware families such as Mekotio and Casbaneiro.
Horabot, for its part, is an Outlook phishing botnet program written in PowerShell capable of sending phishing emails to all email addresses in a victim’s mailbox to spread infection. It is also a deliberate attempt to minimize threat actors’ phishing infrastructure from being exposed.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
The disclosure comes a week after SentinelOne linked an unidentified Brazilian threat actor to a long-running campaign targeting more than 30 Portuguese financial institutions with information-stealing malware since 2021.
It also follows the discovery of a new Android banking trojan dubbed PixBankBot who abused the operating system’s accessibility services to make fake money transfers through Brazil’s PIX payment platform.
PixBankBot is also the latest example of malware specifically focused on Brazilian banks, featuring capabilities similar to the BrasDex, PixPirate, and GoatRAT seen in recent months.
If anything, the development represents another iteration of a broader group of financially motivated hacking attempts originating in Brazil, so it’s important that users remain vigilant to avoid falling victim to such threats.
