A cyber campaign called Horabot has been discovered by Cisco Talos, targeting Spanish-speaking users in Latin America since November 2020. The campaign involves infecting victims with a banking trojan and a spam tool. The attackers gain control over the victims’ Gmail, Outlook, Hotmail, or Yahoo email accounts, allowing them to steal email data and 2FA codes and send phishing emails from compromised accounts.
The threat actors behind Horabot are suspected to be based in Brazil. The multi-stage infection chain begins with a phishing email themed around taxes. Victims receive an HTML attachment posing as a payment receipt, which triggers a URL redirection chain leading to an attacker-controlled HTML page hosted on AWS.
From there, victims download a RAR archive containing a batch file and a PowerShell script that fetches trojan DLLs and legitimate executables from a command-and-control (C2) server. The trojans fetch the final two payloads from a different C2 server, including the Horabot binary and a PowerShell downloader script. The banking trojan, written in Delphi and disguised as “jli.dll,” collects various system information and user credentials.
It enables the attackers to remotely access the compromised system, perform file actions, conduct keylogging, capture screenshots, and track mouse events. The trojan overlays a fake window on top of legitimate applications to trick victims into entering sensitive data like online banking credentials. All the collected information is sent to the attackers’ C2 server via HTTP POST requests.
In addition to the banking trojan, the campaign includes a spam tool DLL named “_upyqta2_J.mdat” that steals credentials for popular webmail services. This tool also features keylogging, screenshot capture, and mouse event interception capabilities. Once the victims’ email account credentials are compromised, the tool generates spam emails and sends them to the contacts found in the victim’s mailbox, potentially expanding the infection to other users.
The primary payload, Horabot, is a PowerShell-based botnet that targets Outlook mailboxes, stealing contacts and disseminating phishing emails with malicious HTML attachments.
While Horabot primarily targets users in countries such as Mexico, Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama, there is a possibility that the threat actors may expand their reach to other markets using phishing themes written in English. Users in Latin America should remain cautious and exercise vigilance to avoid falling victim to this sophisticated cyber campaign.
