Image: Brett Jordan (unsplash)
An unseen campaign involving the Hotabot botnet malware has been impacting Spanish-speaking users in Latin America since at least November 2020, subjecting them to a banking trojan and spam tool.
This malware permits its operators to seize control of the victim’s Gmail, Outlook, Hotmail, or Yahoo email accounts, pilfer email data and 2FA codes from the inbox, and distribute phishing emails via the breached accounts.
Cisco Talos analysts unearthed this fresh Horabot operation, suggesting the probable threat actor to be Brazil-based.
The infection chain of several stages kickstarts with a tax-themed phishing email addressed to the intended victim, containing an HTML attachment that pretends to be a payment receipt.
The HTML’s activation triggers a URL redirection chain, which transports the victim to an HTML page maintained on an attacker-controlled AWS instance.
The victim engages with a hyperlink on the page, downloading a RAR archive housing a batch file with a CMD extension, responsible for downloading a PowerShell script. This script retrieves trojan DLLs and a set of legitimate executables from the C2 server.
These trojans initiate to obtain the final two payloads from a separate C2 server. One payload is a PowerShell downloader script, and the other is the Horabot binary.
The banking trojan is represented by one of the DLL files in the downloaded ZIP, “jli.dll,” which is sideloaded by the “kinit.exe” executable, and is programmed in Delphi.
It seeks out system info (language, disk size, antivirus software, hostname, OS version, IP address), user credentials, and activity data.
Additionally, the trojan provides its operators with remote access capabilities, such as performing file actions and abilities to perform keylogging, screenshot snapping, and mouse event tracking.
When an application is opened by the victim, the trojan superimposes a counterfeit window over it to deceive victims into inputting sensitive information like online banking account credentials or one-time codes.
All gathered information from the victim’s computer is transported to the attacker’s command and control server via HTTP POST requests.
Cisco elucidates that the trojan possesses several in-built anti-analysis mechanisms to inhibit its operation in sandboxes or with debuggers.
The ZIP archive also comprises an encrypted spam tool DLL termed “_upyqta2_J.mdat,” crafted to usurp credentials for popular webmail services such as Gmail, Hotmail, and Yahoo.
Upon compromising the credentials, the tool seizes the victim’s email account, fabricates spam emails, and distributes them to the contacts located in the victim’s mailbox, thereby disseminating the infection somewhat randomly.
This tool also comes equipped with keylogging, screenshot snapping, and mouse event interception or tracking capabilities, functionally mirroring the banking trojan, perhaps for redundancy.
The principal payload deposited onto the victim’s system is Horabot, a well-known PowerShell-based botnet that targets the victim’s Outlook mailboxes to pilfer contacts and disseminate phishing emails containing malicious HTML attachments.
This malware activates the victim’s desktop Outlook application to examine the address book and contacts from the mailbox contents.
Cisco explains in their report that, “upon initialization, the script scrutinizes the Outlook data files from the victim profile’s Outlook application data folder, enumerates all folders and emails in the victim’s Outlook data file, and extracts email addresses from the emails’ sender, recipients, CC, and BCC fields.”
All extracted email addresses are recorded into an “.Outlook” file and subsequently encoded and exfiltrated to the C2 server.
In the end, the malware fabricates an HTML file locally, fills it with content duplicated from an external resource, and sends phishing emails to all extracted email addresses individually.
Following the completion of the phishing email distribution process, locally created files and folders are purged to eradicate any traces.
Despite this Horabot campaign predominantly targeting users in Mexico, Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama, identical or collaborating threat actors may extend its influence to other markets at any time, employing phishing themes written in English.