Full Report
Cybersecurity researchers have discovered a new phishing campaign that's being used to distribute malware called Horabot targeting Windows users in Latin American countries like Mexico, Guatemala, Colombia, Peru, Chile, and Argentina. The campaign is "using crafted emails that impersonate invoices or financial documents to trick victims into opening malicious attachments and can steal email
Analysis Summary
# Tool/Technique: Horabot Malware
## Overview
Horabot is a malware family primarily targeting Windows users in Latin American countries (including Mexico, Guatemala, Colombia, Peru, Chile, and Argentina) via invoice-themed phishing campaigns. Its goal is to steal email credentials, harvest contact lists, install banking trojans, and spread laterally within targeted networks.
## Technical Details
- Type: Malware family
- Platform: Windows
- Capabilities: Phishing delivery, credential theft (email/browser), contact list harvesting, banking trojan installation, lateral email propagation, system reconnaissance.
- First Seen: First documented in June 2023 (activity observed since at least November 2020).
## MITRE ATT&CK Mapping
*NOTE: Specific attack staging is inferred from the description. A full mapping would require more granular analysis of the VBScript/AutoIt execution.*
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (via PowerShell)
- T1059.005 - Visual Basic
- T1082 - System Information Discovery
- T1003 - OS Credential Dumping
- T1003.001 - LSASS Memory (Potential, often coupled with banking trojans accessing credentials)
- T1555 - Credentials from Password Stores
- T1555.003 - Browser Session
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (C2 communication)
- T1105 - Ingress Tool Transfer
## Functionality
### Core Capabilities
- **Delivery Mechanism:** Uses invoice-themed phishing emails containing ZIP archives, which conceal a malicious HTML file (Base64-encoded).
- **Staging:** The HTML file contacts a remote server to download a secondary ZIP archive containing an HTML Application (HTA) file.
- **Execution:** The HTA loads a script that subsequently injects a VBScript.
- **Evasion:** The VBScript performs checks to terminate if Avast antivirus is detected or if the environment is a known virtual machine.
- **Data Theft:** Steals browser data from Brave, Yandex, Epic Privacy Browser, Comodo Dragon, Cent Browser, Opera, Microsoft Edge, and Google Chrome.
- **Credential Capture:** Injects fake pop-up windows to capture sensitive user login credentials.
### Advanced Features
- **Lateral Movement:** Utilizes Outlook COM automation to send phishing messages from compromised user mailboxes, aiding propagation within networks.
- **Payload Delivery:** Uses AutoIt scripts, often facilitated by a malicious DLL, to drop and execute a banking trojan payload.
- **Reconnaissance:** Executes VBScript, AutoIt, and PowerShell scripts for system information gathering.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: Malicious ZIP archives, PDF documents (lures), HTML files, HTA files, VBScript scripts, AutoIt scripts, PowerShell scripts.
- Registry Keys: [Not provided in context]
- Network Indicators: Remote servers used for downloading secondary payloads and exfiltrating system information / stolen data (defanged examples: `hxxp://[malicious-server]/payload1`, `hxxp://[exfil-server]/status`).
- Behavioral Indicators: Execution chains involving HTML -> HTA -> VBScript -> AutoIt/PowerShell. Detection of Outlook COM automation abuse for sending unsolicited emails. System checks for AV/VMs.
## Associated Threat Actors
- Threat actor assessed to be from Brazil (based on previous reporting context).
## Detection Methods
- Signature-based detection: Signatures for known Horabot file hashes or static code patterns within the scripts.
- Behavioral detection: Monitoring for chains of execution starting from email attachments that lead to script execution (HTA/VBS) and subsequent attempts to communicate with external servers for payload staging or data exfiltration.
- YARA rules: Applicable for identifying known obfuscated strings or structural elements within the downloader scripts.
## Mitigation Strategies
- **Email Filtering:** Deploy enhanced filters to block emails containing ZIP archives with executable content or suspicious file types (HTML, HTA).
- **Macro/Script Security:** Restrict execution of scripts from untrusted locations, particularly VBScript and HTA files downloaded via web/email.
- **Application Control:** Limit the use of PowerShell and VBScript execution for non-standard system administration tasks.
- **Outlook Hardening:** Restrict or monitor COM object usage within Microsoft Office applications to prevent unauthorized external access or scripting.
- **Antivirus/EDR:** Ensure endpoint protection systems are updated to detect known Avast evasion techniques and the associated payloads (including the banking trojan).
## Related Tools/Techniques
- Prior campaigns targeting Latin America with similar phishing methodologies (mentioned in the context regarding Trustwave SpiderLabs findings).
- General banking trojans typically associated with this level of credential harvesting.