Full Report
Kaspersky SOC uncovered and analyzed a complex Horabot campaign in Mexico. In this article we share insights into how it is unleashed and how to hunt for this threat.
Analysis Summary
# Incident Report: Horabot Campaign in Mexico
## Executive Summary
The Kaspersky SOC identified a complex, multi-stage malware campaign dubbed "Horabot" targeting organizations primarily in Mexico. The attack uses sophisticated phishing lures to deliver a banking Trojan and a spam tool capable of compromising Outlook accounts to further propagate the infection. The campaign's primary goals are financial theft via credential harvesting and infrastructure expansion through lateral movement across email contacts.
## Incident Details
- **Discovery Date:** Late 2022 / Early 2023
- **Incident Date:** Ongoing (Active campaign)
- **Affected Organization:** Multiple undisclosed entities
- **Sector:** Various (targets tax and legal themes)
- **Geography:** Mexico (Primary), with minor activity in Brazil and Argentina
## Timeline of Events
### Initial Access
- **Date/Time:** Delivery starts via scheduled phishing waves.
- **Vector:** Phishing emails (Malspam).
- **Details:** Attackers send emails masquerading as tax receipts or legal notifications from Mexican government agencies (e.g., SAT). These emails contain an HTML file or a link to a ZIP archive hosted on compromised legitimate sites.
### Lateral Movement
- **Technique:** Email-based lateral movement.
- **Details:** Once Horabot (a PowerShell-based tool) is executed, it gains control over the victim's Microsoft Outlook. It uses the victim's own account and contact list to send more phishing emails, effectively moving "laterally" to trusted external partners and internal colleagues.
### Data Exfiltration/Impact
- **Details:** The primary exfiltration involves harvesting online banking credentials, one-time passwords (OTPs), and system metadata. The malware also steals entire contact lists from Outlook to fuel future spam campaigns.
### Detection & Response
- **Discovery:** Kaspersky SOC detected unusual PowerShell activity and unauthorized Outlook automation on client endpoints.
- **Response:** Analysts tracked the C2 infrastructure, identified the multi-stage payload delivery (DLL side-loading), and pushed detection signatures to endpoint protection platforms.
## Attack Methodology
- **Initial Access:** Social engineering via thematic phishing emails.
- **Persistence:** Use of `LNK` files in the Startup folder and Registry Run keys.
- **Privilege Escalation:** Not explicitly detailed, but relies on administrative triggers via social engineering prompts.
- **Defense Evasion:** Use of DLL Side-Loading (loading a malicious DLL via a legitimate signed executable), naming malicious processes after legitimate Windows services, and code obfuscation.
- **Credential Access:** Keylogging and overlay windows (pop-up screens) designed to mimic banking login portals.
- **Discovery:** Use of built-in Windows commands to identify system info, installed antivirus, and network configuration.
- **Lateral Movement:** Automated Outlook mail distribution targeting the victim's address book.
- **Collection:** Automated harvesting of email addresses and browser-stored data.
- **Exfiltration:** Data is sent back to C2 servers via HTTP/HTTPS POST requests.
- **Impact:** Financial fraud via hijacked bank accounts and unauthorized use of corporate mail infrastructure.
## Impact Assessment
- **Financial:** High potential for loss due to direct banking credential theft.
- **Data Breach:** High. Exposure of contact lists, private emails, and financial credentials.
- **Operational:** Moderate. Significant mail server load and potential blacklisting of the organization's domain due to outgoing spam.
- **Reputational:** High. The organization appears as the sender of malicious phishing emails to its customers and partners.
## Indicators of Compromise
- **Network Indicators:**
- `hxxp[:]//185[.]216[.]70[.]20/`
- `hxxps[:]//setic[.]com[.]br/` (Compromised legitimate site used for hosting)
- **File Indicators:**
- `7086888636ecc3682970725c572007d4` (MD5 of main payload)
- `Factura_Digital.zip` / `Documento_SAT.html`
- **Behavioral Indicators:**
- `powershell.exe` executing scripts from `AppData/Local/Temp`.
- `outlook.exe` being automated via COM objects by suspicious child processes.
## Response Actions
- **Containment:** Blocked known C2 IP addresses and URLs at the perimeter firewall. Revoked compromised Outlook session tokens.
- **Eradication:** Deleted malicious scheduled tasks, registry keys, and Startup folder `LNK` files.
- **Recovery:** Forced password resets for affected users and implemented Multifactor Authentication (MFA) where missing.
## Lessons Learned
- **Email Trust:** Attackers are successfully leveraging the reputation of compromised accounts to bypass traditional spam filters.
- **Tooling:** The reliance on PowerShell script-based modularity allows the threat actor to change payloads (e.g., switching from a banker to a clipper) with minimal effort.
## Recommendations
- **Technical:** Implement PowerShell "Constrained Language Mode" and monitor for unusual Outlook COM object calls.
- **Process:** Enable robust MFA (non-SMS based) for all corporate and financial accounts.
- **Education:** Conduct specific phishing simulations focused on "Tax/SAT" themes for employees in accounting and legal departments.