A new cyberthreat campaign named “Horabot” has been spotted by cybersecurity firm Cisco Talos and targets Spanish-speaking users in the Americas.
Horabot, a botnet software, has been active since November 2020 and is responsible for distributing banking Trojans and spam tools. According to an advisory published today by Cisco Talos, the actor behind this campaign is believed to be located in Brazil.
Chetan Raghuprasad, a cyberthreat researcher at Cisco Talos, explained that the main target of the attack was Spanish-speaking users in Mexico. However, cases have also been reported in Uruguay, Brazil, Venezuela, Argentina, Guatemala and Panama.
Several industries have been affected, including accounting, construction, engineering, wholesale distribution and investment firms.
Ragprasado explained that the campaign follows a multi-step chain of attacks, starting with a Spanish-language phishing email masquerading as a tax notice.
For more information on phishing attacks, see Social Media Phishing – The Cybersecurity Threat of 2023.
When the victim opens the attached HTML file, it redirects to another malicious HTML file hosted on an attacker-controlled Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instance. This file forces the victim to download her RAR file and initiate the payload delivery process.
Once installed, this banking Trojan can steal the victim’s login credentials, operating system information, and keystrokes. You can also get a one-time security code from your online banking application.
Additionally, spam tools can compromise webmail accounts such as Yahoo, Gmail, and Outlook, allowing attackers to control mailboxes, steal contact email addresses, and send spam emails. I have.
The Cisco Talos Advisory contains a comprehensive list of the Horabot threat indicators of compromise (IOCs) and detailed guidelines to help organizations protect themselves from this malware and mitigate its potential impact.
The publication of the document comes months after the Chinese state-sponsored threat actor DEV-0147 was discovered targeting South American diplomatic institutions.
