New Botnet Malware ‘Horabot’ Targets Spanish-Talking Customers in Latin America


Jun 02, 2023Ravie LakshmananBotnet / Malware

Botnet Malware

Spanish-speaking customers in Latin America have been on the receiving finish of a brand new botnet malware dubbed Horabot since not less than November 2020.

“Horabot permits the risk actor to regulate the sufferer’s Outlook mailbox, exfiltrate contacts’ electronic mail addresses, and ship phishing emails with malicious HTML attachments to all addresses within the sufferer’s mailbox,” Cisco Talos researcher Chetan Raghuprasad mentioned.

The botnet program additionally delivers a Home windows-based monetary trojan and a spam instrument to reap on-line banking credentials in addition to compromise Gmail, Outlook, and Yahoo! webmail accounts to blast spam emails.

The cybersecurity agency mentioned a majority of the infections are positioned in Mexico, with restricted victims recognized in Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama. The risk actor behind the marketing campaign is believed to be in Brazil.

Focused customers of the continued marketing campaign primarily span accounting, development and engineering, wholesale distribution, and funding verticals, though it is suspected that different sectors within the area may be affected.

The assaults begin with phishing emails bearing tax-themed lures that entice the recipients into opening an HTML attachment, which, in flip, embeds a hyperlink containing a RAR archive.

Opening the contents of the file leads to the execution of a PowerShell downloader script that is answerable for retrieving a ZIP file containing the principle payloads from a distant server and rebooting the machine.

The system restart additionally serves as a launchpad for the banking trojan and the spam instrument, permitting the risk actor to steal information, log keystrokes, seize screenshots, and disseminate extra phishing emails to the sufferer’s contacts.

“This marketing campaign entails a multi-stage assault chain that begins with a phishing electronic mail and results in payload supply by the execution of a PowerShell downloader script and sideloading to official executables,” Raghuprasad mentioned.

Botnet Malware

The banking trojan is a 32-bit Home windows DLL written within the Delphi programming language, and shares overlaps with different Brazilian malware households like Mekotio and Casbaneiro.

Horabot, for its half, is an Outlook phishing botnet program written in PowerShell that is able to sending phishing emails to all electronic mail addresses within the sufferer’s mailbox to propagate the an infection. It is also a deliberate try to reduce the risk actor’s phishing infrastructure from being uncovered.

UPCOMING WEBINAR

🔐 Mastering API Safety: Understanding Your True Assault Floor

Uncover the untapped vulnerabilities in your API ecosystem and take proactive steps in the direction of ironclad safety. Be part of our insightful webinar!

Be part of the Session

The disclosure arrives per week after SentinelOne attributed an unknown Brazilian risk actor to a long-running marketing campaign concentrating on greater than 30 Portuguese monetary establishments with information-stealing malware since 2021.

It additionally follows the invention of a brand new Android banking trojan dubbed PixBankBot that abuses the working system’s accessibility companies to conduct fraudulent cash transfers over the Brazilian PIX funds platform.

PixBankBot can be the newest instance of malware that particularly focuses on Brazilian banks, that includes capabilities just like BrasDex, PixPirate, and GoatRAT which have been noticed in current months.

If something, the developments symbolize one more iteration of a broader group of financially motivated hacking efforts emanating from Brazil, making it essential that customers stay vigilant to keep away from falling prey to such threats.

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.



Leave a Reply

Your email address will not be published. Required fields are marked *