Horabot Campaign Targets Spanish-Speaking Users in the Americas

Written by

A new cyber threat campaign named “Horabot” has been discovered by cybersecurity firm Cisco Talos targeting Spanish-speaking users in the Americas.

Horabot, a botnet software, has been active since November 2020 and is responsible for distributing a banking Trojan and spam tool. According to an advisory published by Cisco Talos earlier today, the threat actor behind the campaign is believed to be located in Brazil.

Chetan Raghuprasad, a cyber threat researcher at Cisco Talos, explained that the primary focus of the attacks had been Spanish-speaking users in Mexico. However, infections have also been reported in Uruguay, Brazil, Venezuela, Argentina, Guatemala and Panama. 

Several business verticals, including accounting, construction, engineering, wholesale distribution and investment firms, have been affected. 

Raghuprasad explained that the campaign follows a multi-stage attack chain that begins with a phishing email in Spanish disguised as a tax receipt notification. 

Read more on phishing attacks: Social Media Phishing – The 2023 Cybersecurity Threat

When victims open the attached HTML file, they are redirected to another malicious HTML file hosted on an Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instance controlled by the attacker. This file entices victims to download a RAR file, initiating the payload delivery process.

Once installed, the banking Trojan can steal victims’ login credentials, operating system information and keystrokes. It can also obtain one-time security codes from online banking applications. 

Additionally, the spam tool can compromise webmail accounts such as Yahoo, Gmail and Outlook, enabling the attacker to control mailboxes, exfiltrate contacts’ email addresses and send spam emails.

The Cisco Talos advisory includes a comprehensive list of indicators of compromise (IOCs) for the Horabot threat, along with detailed guidelines to help organizations protect themselves against this malware and mitigate its potential impact.

Its publication comes months after the Chinese state-sponsored threat actor DEV-0147 was spotted targeting diplomatic entities in South America.

What’s hot on Infosecurity Magazine?