New Horabot marketing campaign takes over sufferer’s Gmail, Outlook accounts

Malware distribution via phishing

A beforehand unknown marketing campaign involving the Hotabot botnet malware has focused Spanish-speaking customers in Latin America since no less than November 2020, infecting them with a banking trojan and spam device.

The malware allows the operators to take management of the sufferer’s Gmail, Outlook, Hotmail, or Yahoo e mail accounts, steal e mail information and 2FA codes arriving within the inbox, and ship phishing emails from the compromised accounts.

The brand new Horabot operation was found by analysts at Cisco Talos, who report that the risk actor behind it’s doubtless based mostly in Brazil.

Begins with phishing

The multi-stage an infection chain begins with a tax-themed phishing e mail despatched to the goal, with an HTML attachment that’s supposedly a fee receipt.

Opening the HTML launches a URL redirection chain that lands the sufferer on an HTML web page hosted on an attacker-controlled AWS occasion.

Malicious page hosted on AWS
Malicious web page hosted on AWS (Cisco)

The sufferer clicks on the hyperlink on the web page and downloads a RAR archive that incorporates a batch file with a CMD extension, which downloads a PowerShell script that fetches trojan DLLs and a set of official executables from the C2 server.

These trojans execute to fetch the ultimate two payloads from a special C2 server. One is a PowerShell downloader script, and the opposite is the Horabot binary.

Infection chain diagram
An infection chain diagram (Cisco)

Banking trojan

One of many DLL information within the downloaded ZIP, “jli.dll,” which is sideloaded by the “kinit.exe” executable, is a banking trojan written in Delphi.

It targets system data (language, disk measurement, antivirus software program, hostname, OS model, IP handle), consumer credentials, and exercise information.

Furthermore, the trojan additionally provides its operators distant entry capabilities like performing file actions and also can conduct keylogging, screenshot snapping, and mouse occasion monitoring.

When the sufferer opens an utility, the trojan overlays a pretend window on prime of it to trick victims into coming into delicate information like on-line banking account credentials or one-time codes.

Code for creating phishing forms
Code for creating phishing varieties (Cisco)

All info collected from the sufferer’s laptop is distributed to the attacker’s command and management server by way of HTTP POST requests.

Cisco explains that the trojan has a number of built-in anti-analysis mechanisms to stop it from working in sandboxes or alongside debuggers.

The ZIP archive additionally incorporates an encrypted spam device DLL named “_upyqta2_J.mdat,” designed to steal credentials for well-liked webmail companies like Gmail, Hotmail, and Yahoo.

As soon as the credentials are compromised, the device takes over the sufferer’s e mail account, generates spam emails, and sends them to the contacts discovered within the sufferer’s mailbox, furthering the an infection considerably randomly.

This device additionally options keylogging, screenshot snapping, and mouse occasion interception or monitoring capabilities, functionally overlapping with the banking trojan, probably for redundancy.


The first payload dropped onto the sufferer’s system is Horabot, a documented PowerShell-based botnet that targets the sufferer’s Outlook mailboxes to steal contacts and disseminate phishing emails containing malicious HTML attachments.

The malware launches the sufferer’s desktop Outlook utility to scrutinize the handle ebook and contacts from the mailbox contents.

“After initialization, the [Horabot] script seems for the Outlook information information from the sufferer profile’s Outlook utility information folder,” explains Cisco within the report.

“It enumerates all folders and emails within the sufferer’s Outlook information file and extracts e mail addresses from the emails’ sender, recipients, CC, and BCC fields.”

Function to extract email addresses
Perform to extract e mail addresses (Cisco)

All extracted e mail addresses are written into an “.Outlook” file after which encoded and exfiltrated to the C2 server.

Lastly, the malware creates an HTML file domestically, fills it with content material copied from an exterior useful resource, and sends phishing emails to all extracted e mail addresses individually.

Horabot infection flow
Horabot an infection circulate (Cisco)

When the phishing e mail distribution course of is completed, the domestically created information and folders are deleted to wipe any traces.

Though this Horabot marketing campaign primarily targets customers in Mexico, Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama, the identical or collaborating risk actors might broaden its attain to different markets anytime, utilizing phishing themes written in English.

Leave a Reply

Your email address will not be published. Required fields are marked *