In a recent discovery, cybersecurity analysts from Cisco Talos have identified a previously unknown campaign known as the Horabot operation, which has been active since November 2020. This malicious campaign, powered by the Hotabot botnet malware, specifically targets Spanish-speaking users in Latin America. The primary aim of the attackers is to infect victims with a banking trojan and a spam tool, allowing them to gain unauthorized access to victims’ Gmail, Outlook, Hotmail, or Yahoo email accounts. This article will delve into the details of the Horabot campaign, shed light on the infection chain, and discuss the potential impact on users in the affected regions.
The Infection Chain
The Horabot campaign starts with a phishing email, cleverly designed with a tax-themed subject, which is sent to the intended victims. The email contains an HTML attachment disguised as a payment receipt. Upon opening the attachment, a URL redirection chain is triggered, leading the victim to an HTML page hosted on an attacker-controlled AWS instance. This page contains a hyperlink that prompts the victim to download a RAR archive, which, in turn, contains a batch file with a CMD extension. The CMD file downloads a PowerShell script responsible for fetching trojan DLLs and legitimate executables from the command and control (C2) server. The trojans execute to retrieve the final two payloads from a different C2 server: a PowerShell downloader script and the Horabot binary.
The Banking Trojan
Among the downloaded files is a DLL called “jli.dll,” which is loaded by the “kinit.exe” executable. This DLL serves as a banking trojan written in Delphi, specifically designed to steal sensitive information from the victim’s system. It targets system information, user credentials, and activity data. The trojan also possesses remote access capabilities, allowing the operators to perform file actions, conduct keylogging, take screenshots, and track mouse events. Notably, the trojan overlays a fake window on top of legitimate applications to trick victims into entering their online banking account credentials or one-time codes. All the stolen information is sent to the attacker’s command and control server through HTTP POST requests.
The Spam Tool
Another component found in the downloaded ZIP archive is an encrypted spam tool DLL named “_upyqta2_J.mdat.” This tool is designed to steal credentials from popular webmail services like Gmail, Hotmail, and Yahoo. Once the credentials are compromised, the tool takes control of the victim’s email account, generates spam emails, and sends them to contacts found within the compromised mailbox. The spam tool shares functionalities with the banking trojan, including keylogging, screenshot capturing, and mouse event interception or tracking. This overlap suggests redundancy in case one component fails to achieve its objectives.
The Horabot Botnet
The primary payload deployed by the Horabot campaign is the Horabot botnet, which operates using PowerShell scripts. This botnet specifically targets Outlook mailboxes, aiming to steal contact information and distribute phishing emails containing malicious HTML attachments. The malware scans the victim’s desktop Outlook application to gather address book and contact information. This data is then encoded, exfiltrated to the C2 server, and used to send phishing emails individually to each extracted email address. After completing the email distribution process, the malware deletes any locally created files and folders to eliminate traces of its presence.
Protecting Yourself
As the Horabot campaign poses a significant threat to users in Latin America, it is essential to take proactive measures to protect yourself and your organization from such attacks. Here are some key tips to safeguard against similar threats:
1. Be vigilant with email attachments: Exercise caution when opening email attachments, especially those those from unknown senders or unexpected sources.
2. Educate yourself on phishing techniques: Learn how to identify phishing emails and recognize common red flags such as suspicious links or email content.
3. Maintain strong security practices: Implement strong and unique passwords, enable multi-factor authentication, and keep your software and security tools up to date.
4. Regularly backup your data: Ensure you have proper backup mechanisms in place to recover in case of a data breach or loss.
5. Use reputable security solutions: Invest in reliable antivirus and anti-malware software to detect and mitigate potential threats.
Conclusion
The Horabot campaign serves as a stark reminder of the evolving nature of cyber threats, with attackers constantly devising new tactics to compromise users’ email accounts and steal sensitive information. By staying informed and following best practices for email security and overall cybersecurity, users can better protect themselves from these sophisticated attacks. Remember, being proactive and staying informed are key to maintaining a secure online presence.
Disclaimer: The Horabot campaign primarily targets users in Mexico, Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama. However, it is important to note that threat actors may expand their reach and adopt new strategies, including phishing themes in English, targeting users in other regions.
