Threat Research

New Horabot campaign targets the Americas

Securonix

Horabot is a new PowerShell-based Outlook phishing botnet that delivers a Delphi-based banking trojan and a spam tool, active since 2020 and targeting Spanish-speaking users in the Americas. The campaign uses multi-stage phishing to propagate by compromising mailboxes, exfiltrating contacts, and sending more phishing emails, often via AWS/VPS infrastructure and lookalike domains. #Horabot #DelphiTrojanBanking

Keypoints

  • The Horabot campaign delivers a banking trojan and a spam tool through a previously unidentified botnet, active since at least November 2020.
  • Targets are primarily Spanish-speaking users in the Americas, with Mexico being a major focus and indications the operator may be based in Brazil.
  • Horabot can control Outlook mailboxes, exfiltrate contacts’ addresses, and send phishing emails with malicious HTML attachments to all addresses in the mailbox.
  • The banking trojan steals credentials, OS information, keystrokes, and one-time security codes, and it can reinstall itself via PowerShell-based downloader and DLL sideloading.
  • The spam tool compromises Yahoo, Gmail, and Outlook webmail accounts to exfiltrate contacts and send spam, with information-stealing capabilities.
  • The campaign uses multi-stage infection (phishing email → PowerShell downloader → ZIP payloads) and infrastructure that includes AWS EC2 and VPS servers, with lookalike domains to evade detection.
  • Infections are tied to multiple verticals (accounting, construction, engineering, etc.), and Horabot is used to propagate phishing to victims’ contacts, expanding reach across industries.

MITRE Techniques

  • [T1566.001] Phishing – The infection starts with an income tax-themed phishing email written in Spanish, disguising itself as a tax receipt notification and enticing users to open the attached malicious HTML file. ‘The infection starts with an income tax-themed phishing email written in Spanish, disguising itself as a tax receipt notification and enticing users to open the attached malicious HTML file.’
  • [T1059.001] PowerShell – The batch file downloads the PowerShell downloader script from an attacker-controlled server and executes it through the PowerShell commands. ‘The batch file downloads the PowerShell downloader script from an attacker-controlled server and executes it through the PowerShell commands.’
  • [T1574.002] DLL side-loading – After reboot, the startup files sideload DLLs into legitimate executables to run payloads. ‘the malicious Windows startup files run the payloads by sideloading them to the legitimate executables.’
  • [T1547.001] Boot or Logon Autostart Execution – The attacker places Windows shortcuts in the startup folder to execute payloads on startup. ‘creates two Windows shortcut files in the Windows startup folder …’
  • [T1114] Email Collection – Horabot can control Outlook mailbox and exfiltrate contacts’ email addresses. ‘control the victim’s Outlook mailbox, exfiltrate contacts’ email addresses, and send phishing emails with malicious HTML attachments to all addresses in the victim’s mailbox.’
  • [T1056.001] Keylogging – The banking trojan logs keystrokes as part of its information-stealing capabilities. ‘logging keystrokes via polling and application hooks’
  • [T1113] Screen Capture – The trojan captures screenshots as part of data theft. ‘capturing screenshots’
  • [T1041] Exfiltration – The Outlook and contacts data are exfiltrated to a C2 server via HTTP POST. ‘exfiltrates the email addresses … via an HTTP POST request’
  • [T1027] Obfuscated/Compressed Files and Information – The PowerShell downloader is heavily obfuscated with random symbols and base64-encoded strings. ‘heavily obfuscated with random symbols … base64-encoded strings’

Indicators of Compromise

  • [Domain] m9b4s2.site – used in campaign since November 2020; tributaria.website – used since July 2022; wiqp.xyz – used since August 2022; ckws.info – used since January 2023; amarte.store – used since March 2023
  • [IP] 185.45.195.226 – host for the PowerShell downloader server; 216.238.70.224 – host for the ZIP payloads
  • [IP/FQDN] 139.177.193.74 – C2 server URL used for data exfiltration
  • [File/Filenames] _upyqta2_JAA.lnk, _upyqta2_JEX.lnk, _upyqta2_JAT.lnk, _upyqta2_J.lnk, _upyqta2_JY.lnk – Windows shortcut files used for persistence
  • [DLL/Executable] jli.dll, MSVCR100.dll, WebView2Loader.dll – components involved in loading and payload execution
  • [Other] ‘adjuntos_1503.html’ (HTML attachment used to deliver malicious content); ‘m.zip’ (malicious ZIP payload); ‘Http POST’ URL patterns used for exfiltration

Read more: https://blog.talosintelligence.com/new-horabot-targets-americas/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint