Security researchers have issued a warning over a sophisticated malware botnet that has flown under the radar for more than two years.
Analysis by security firm Cisco Talos also found that organisations across “several business verticals” have been targeted by the botnet since November 2020.
Dubbed ‘Horabot’, the botnet was spotted infecting devices with a banking trojan and spam tools to steal sensitive financial information and assume control of user email accounts to wage phishing attacks.
Users of email services such as Gmail, Yahoo, and Outlook, have been impacted by the botnet, with their accounts used to send malicious emails to contacts.
“Horabot enables the threat actor to control the victim’s Outlook mailbox, exfiltrate contacts’ email addresses, and send phishing emails with malicious HTML attachments to all addresses in the victim’s mailbox,” researchers said.
“The banking trojan can collect the victim’s login credentials for various online accounts, operating system information and keystrokes. It also steals one-time security codes or soft tokens from the victim’s online banking applications.”
According to Talos, the botnet has specifically targeted Spanish-speaking users in the Americas, and could be based in Brazil.
Companies operating in the accounting, construction, engineering, and investment sectors are thought to have been particularly targeted by the botnet.
How does Horabot work?
Technical analysis from Cisco Talos revealed that the campaign is a “multi-stage attack chain” beginning with an initial phishing email. This then delivers a malicious payload via a PowerShell downloader script.
“When a victim opens the HTML file attachment, an embedded URL is launched in the victim’s browser, redirecting to another malicious HTML file from an attacker-controlled AWS EC2 instance,” researchers said in a blog post. “The content displayed on the victim’s browser lures them to click an embedded malicious hyperlink which downloads a RAR file.”
This payload was found to create specially crafted Windows shortcut files that run during the startup process of a victims machine and force it to restart.
Upon reboot, these malicious files enable the attacker to further infect the device.
“After the victim’s machine is rebooted, the malicious Windows startup files run the payloads by sideloading them to the legitimate executables and downloading and executing two other PowerShell scripts from a different attacker-controlled server,” the blog post explained.
“One is the PowerShell downloader script, which the attacker attempts to execute to re-infect the victim’s machine, and another is Horabot.”
Analysis of the banking trojan
Analysis from Talos found that the banking trojan used in this campaign specifically targets the victim’s login credentials and financial information.
This trojan enables the attacker to monitor activity on a victim’s device by collecting system information such as hostnames, IPv4 addresses, OS version information, and insights on anti-virus software present on the machine.
Data gathered by the trojan is then extracted to an attacker-controlled server, researchers added.
“The reconnaissance data is exfiltrated to the attacker-controlled server through an HTTP POST request,” Talos explained “The banking trojan targets the victim’s sensitive information, such as login credentials and financial transaction security codes, and logs keystrokes and manipulates the victim machine’s clipboard data.
“The trojan also has anti-analysis and anti-detection capabilities to evade the sandbox and virtual environments.”
Phishing spam tool
The second element of this botnet campaign involves the use of a spam tool, researchers explained. This acts as a secondary payload during the attack and enables the threat actor to assume control of the victim’s email accounts.
“The spam tool is a 32-bit DLL written in Delphi and, when run on the victim’s machine, will attempt to compromise the victim’s login credentials for webmail services such as Yahoo, Gmail, and Hotmail,” Cisco analysts explained.
Once user credentials have been compromised, this tool takes “full control” of the account and begins creating and circulating spam emails to contacts found in the victim’s mailbox.
This spambot also displayed “information-stealing capabilities”, including the ability to log keystrokes, capture screenshots, and track mouse activity on an infected computer.
Cloud Pro Newsletter
Stay up to date with the latest news and analysis from the world of cloud computing with our twice-weekly newsletter
Ross Kelly is a staff writer at ITPro, ChannelPro, and CloudPro, with a keen interest in cyber security, business leadership and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
In his spare time, Ross enjoys cycling, walking and is an avid reader of history and non-fiction.
Thank you for signing up to Cloud Pro. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.