Horus Eyes RAT Used to Support the warsaw Banking Trojan

Cybercriminals often combine private projects with well-known, public malware families. The latest example of this is a banking Trojan with the name 'warsaw.' The creators of this malware are relying on a relatively old Remote Access Trojan (RAT) to aid their implant's attack – the Horus Eyes RAT. This malware has been around for several years, and its creators are promoting it on underground hacking forums. While the Horus Eyes RAT has never been considered to be high-end, this campaign seems to be different. Criminals are using it in a relatively high-profile operation, involving a new banking Trojan.

It is important to add that the current iteration of the Horus Eyes RAT has been improved. However, its core features remain intact. It can gain persistence, collect software and hardware information, capture data from windows, execute remote commands, and more.

Horus Eyes RAT Uses a Telegram Bot to Exfiltrate Data

The original RAT steals data and files through an HTTP connection, but this one relies on a custom-built Telegram bot. Criminals often rely on Telegram's features to either control their implants or exfiltrate their data, since it makes it easy for them to switch around this resulting in downtime for their malware. Not only this, but Telegram communication is very secure.

The warsaw Banking Trojan that the Horus Eyes RAT supports works in a very simple manner. It observes the victim's browsing sessions, and injects a phishing overlay when they visit one of the supported banking portals. If the victim does not spot the scam and enters their data, their login credentials will be sent to the attackers through Telegram.

Of course, keep in mind that the Horus Eyes RAT is still in use as a stand-alone project. It is free to use by cybercriminals who manage to get their hands on the payload and building toolkit. While threats like this one are popular, they are also very easy to counter – using an up-to-date antivirus tool guarantees that you are safe from this attack. To avoid potential encounters with dangerous malware like the Horus Eyes RAT or the warsaw Banking Trojan, you should also be careful with the files you download. Avoid pirated content, or downloads from suspicious sites and emails.

August 17, 2021