Horabot - Unpacking a New Threat Campaign in Mexico

What Happened

Kaspersky's SOC team has uncovered a sophisticated malware campaign known as Horabot operating in Mexico. This campaign is notable for its use of a banking Trojan combined with a complex attack chain. It all began with a suspicious alert in a client's environment, which led Kaspersky's team to investigate the underlying tradecraft. The analysis revealed a series of malicious activities starting from a fake CAPTCHA page designed to lure victims into executing harmful commands.

Who's Behind It

The Horabot campaign is characterized by its multi-stage attack strategy. Initially, victims are directed to a fake CAPTCHA page that prompts them to run a malicious command. This command retrieves an HTA file that acts as a loader, pulling in additional malicious scripts from attacker-controlled domains. The attackers leverage server-side polymorphism, ensuring that each access to their resources yields slightly different code, complicating detection efforts.

Tactics & Techniques

The attack unfolds in several stages. After the initial lure, the malware dynamically injects scripts into the victim's environment, gathering sensitive information and executing commands. A significant aspect of this campaign is the use of AutoIT components, which are designed to execute complex routines, including the retrieval of a Delphi-based banking Trojan. This Trojan is capable of harvesting credentials and sending sensitive data back to the attackers.

Defensive Measures

Organizations should be vigilant and implement robust security measures to combat such threats. Regularly updating security software, conducting employee training on recognizing phishing attempts, and monitoring network traffic for unusual activities are essential steps. Additionally, employing threat hunting techniques can help identify and mitigate risks associated with campaigns like Horabot before they escalate.