Cybersecurity researchers from Cisco Talos have spotted a new hacking campaign they claim is targeting victims’ sensitive data, login credentials, and email inboxes.
Horabot is described as a botnet that has been active for almost two and a half years now (first spotted in November 2020). During that time, it’s mostly been tasked with distributing a banking trojan and spam malware.
Its operators seem to be located in Brazil, while its victims are Spanish-speaking users located mostly in Mexico, Uruguay, Venezuela Brazil, Panama, Argentina, and Guatemala.
The victims are found in different industries, from investment firms to wholesale distribution, from construction to engineering, and accounting.
The attack starts with an email message carrying a malicious HTML attachment. Ultimately, the victim is urged to download a .RAR archive, which holds the banking trojan.
The malware is capable of doing plenty of things: stealing login credentials, logging keystrokes, and grabbing system information. By generating an invisible overlay, it is also capable of grabbing one-time security codes from multi-factor authentication (MFA) apps, essentially bypassing this crucial layer of security.
Also, the trojan can take over the victims’ email accounts, including those from Outlook, Gmail, and Yahoo. The threat actors would then use this access to send spam messages to all of the contacts saved in the inbox, making its distribution and infection chain somewhat random and untargeted. To some extent, the trojan also works as a remote desktop management tool, as it can create and delete directories and files from the victim’s endpoint, the researchers said.
Finally, the tool has several obfuscation features that prevent it from running in a sandbox environment, or next to a debugging tool, making discovery and subsequent analysis somewhat more difficult.