New Horabot Campaign Takes Over Victim’s Gmail, Outlook Accounts

Cyber Security Threat Summary:
“A previously unknown campaign involving the Hotabot botnet malware has targeted Spanish-speaking users in Latin America since at least November 2020, infecting them with a banking trojan and spam tool. The malware enables the operators to take control of the victim's Gmail, Outlook, Hotmail, or Yahoo email accounts, steal email data and 2FA codes arriving in the inbox, and send phishing emails from the compromised accounts. The new Horabot operation was discovered by analysts at Cisco Talos, who report that the threat actor behind it is likely based in Brazil. The multi-stage infection chain begins with a tax-themed phishing email sent to the target, with an HTML attachment that is supposedly a payment receipt. Opening the HTML launches a URL redirection chain that lands the victim on an HTML page hosted on an attacker-controlled AWS instance. The victim clicks on the hyperlink on the page and downloads a RAR archive that contains a batch file with a CMD extension, which downloads a PowerShell script that fetches trojan DLLs and a set of legitimate executables from the C2 server. These trojans execute to fetch the final two payloads from a different C2 server. One is a PowerShell downloader script, and the other is the Horabot binary. One of the DLL files in the downloaded ZIP, "jli.dll," which is sideloaded by the "kinit.exe" executable, is a banking trojan written in Delphi. It targets system info (language, disk size, antivirus software, hostname, OS version, IP address), user credentials, and activity data. Moreover, the trojan also offers its operators remote access capabilities like performing file actions and can also conduct keylogging, screenshot snapping, and mouse event tracking. When the victim opens an application, the trojan overlays a fake window on top of it to trick victims into entering sensitive data like online banking account credentials or one-time codes. All information collected from the victim's computer is sent to the attacker's command and control server via HTTP POST requests” (BleepingComputer, 2023).

Security Officer Comments:
“Cisco explains that the trojan has several built-in anti-analysis mechanisms to prevent it from running in sandboxes or alongside debuggers. The ZIP archive also contains an encrypted spam tool DLL named "_upyqta2_J.mdat," designed to steal credentials for popular webmail services like Gmail, Hotmail, and Yahoo. Once the credentials are compromised, the tool takes over the victim's email account, generates spam emails, and sends them to the contacts found in the victim's mailbox, furthering the infection somewhat randomly. This tool also features keylogging, screenshot snapping, and mouse event interception or tracking capabilities, functionally overlapping with the banking trojan, possibly for redundancy. The primary payload dropped onto the victim's system is Horabot, a documented PowerShell-based botnet that targets the victim's Outlook mailboxes to steal contacts and disseminate phishing emails containing malicious HTML attachments. The malware launches the victim's desktop Outlook application to scrutinize the address book and contacts from the mailbox contents. "After initialization, the [Horabot] script looks for the Outlook data files from the victim profile's Outlook application data folder," explains Cisco in the report. "It enumerates all folders and emails in the victim's Outlook data file and extracts email addresses from the emails' sender, recipients, CC, and BCC fields” (BleepingComputer, 2023).

Suggested Correction(s):
Although this Horabot campaign mainly targets users in Mexico, Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama, the same or collaborating threat actors could expand its reach to other markets anytime, using phishing themes written in English.

Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. If in doubt, users should verify with the company itself to avoid any potential issues.

Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.

As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.

Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.

Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.

Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.

Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.

Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.

Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.

Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.

It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.

If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.

Link(s):
https://www.bleepingcomputer.com/