A Spanish-speaking user in Latin America says, Horabot Since at least November 2020.
“Horabot allows attackers to take control of a victim’s Outlook mailbox, steal contact email addresses, and deliver phishing emails containing malicious HTML attachments,” said Cisco Talos researcher Chetan Raghuprasad. It can be sent to any address in the victim’s mailbox.” Said.
The botnet program also delivers Windows-based financial Trojans and spam tools that harvest online banking credentials and compromise Gmail, Outlook, and Yahoo!. A webmail account for sending out spam emails.
The cybersecurity firm said the majority of infections occurred in Mexico, with limited victims identified in Uruguay, Brazil, Venezuela, Argentina, Guatemala and Panama. The attackers behind this campaign are believed to be based in Brazil.
The ongoing campaign primarily targets users in the accounting, construction and engineering, wholesale distribution and investment sectors, although it is suspected that other sectors in the region may also be affected.
The attack began with a tax-themed phishing email in which the recipient was tricked into opening an HTML attachment containing a link containing a RAR archive.
Opening the contents of the file executes a PowerShell downloader script that retrieves a ZIP file containing the main payload from a remote server and reboots the machine.
System reboots also act as a launch pad for banking Trojans and spam tools, allowing attackers to steal data, log keystrokes, capture screenshots, and send additional phishing emails to victims. Allows it to spread forward.
“This campaign includes a multi-stage attack chain starting with a phishing email and ending with payload delivery via execution of a PowerShell downloader script and sideloading into a legitimate executable,” said Raghuprasad. I’m here.
This banking Trojan is a 32-bit Windows DLL written in the Delphi programming language that overlaps with other Brazilian malware families such as Mekotio and Casbaneiro.
Horabot is an Outlook phishing botnet program written in PowerShell that can spread by sending phishing emails to all email addresses in a victim’s mailbox. This is also a deliberate attempt to minimize exposure of the threat actor’s phishing infrastructure.
🔐 Mastering API Security: Understanding Your True Attack Surface
Uncover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
This disclosure comes after SentinelOne determined that an unknown Brazilian actor was involved in a long-running campaign targeting over 30 Portuguese financial institutions using information-stealing malware since 2021. Done a week later.
It also follows the discovery of a new Android Banking Trojan called ‘Android Banking Trojan’. Pixbank bot It exploits the operating system’s accessibility services to perform fraudulent money transfers on the Brazilian PIX payment platform.
PixBankBot is also the latest example of malware specifically focused on Brazilian banks, with functionality similar to BrasDex, PixPirate, and GoatRAT discovered in recent months.
If anything, this development represents yet another iteration of widespread, financially-motivated hacking campaigns originating from Brazil, making it important for users to remain vigilant to avoid falling prey to these threats.