Horabot is a sophisticated malware campaign targeting Spanish-speaking Microsoft Windows users through phishing emails that impersonate invoices and deliver malicious HTML attachments. It steals sensitive information including email credentials and contact lists, spreads via Outlook automation, and installs banking trojans, impacting Microsoft Windows and Outlook environments. #MicrosoftWindows #Outlook
Keypoints
- Horabot spreads via phishing emails disguised as Spanish-language invoices sent to users in Latin America, including Mexico, Guatemala, Colombia, Peru, Chile, and Argentina.
- Malicious emails contain ZIP attachments with encoded HTML files that download and execute VBScript, AutoIt, and PowerShell payloads to evade detection and perform reconnaissance.
- The malware leverages Outlook COM automation to harvest contacts and send phishing emails from victims’ mailboxes, enabling rapid lateral propagation.
- VBScript performs environment checks for antivirus software, virtual machines, and specific machine names to avoid detection and reinfection.
- AutoIt scripts decrypt and execute a malicious DLL that collects system and browser data, sending it to multiple command and control (C2) servers for profiling and credential theft.
- PowerShell scripts automate the construction and delivery of phishing emails, exclude common public email domains from targets, and clean up traces post-infection.
- Fortinet products detect and block Horabot components using FortiGuard Antivirus signatures, and proactive IP reputation services mitigate infection risks.
MITRE Techniques
- [T1566] Phishing – Horabot uses phishing emails impersonating invoices with malicious HTML attachments to initiate infections. (“phishing emails with malicious HTML files to spread Horabot, malware…”)
- [T1059.005] Command and Scripting Interpreter: VBScript – The malware executes VBScript hosted remotely to evade detection and perform environment checks. (“The VBScript…help the malware evade static detection by keeping its real behavior hidden…”)
- [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell scripts decode and execute payloads and automate mass phishing mail sending. (“Creates a Batch script (.bat) to decode a text file (.tws) for executing a PowerShell script…”)
- [T1105] Ingress Tool Transfer – Malicious payloads such as AutoIt executables, encrypted DLLs, and scripts are downloaded from multiple remote servers. (“It downloads several files from two remote servers…”)
- [T1071.001] Application Layer Protocol: Web Protocols – Data exfiltration and command retrieval occur via HTTP POST requests to C2 servers. (“It then sends the collected data via HTTP POST…”)
- [T1027] Obfuscated Files or Information – Horabot uses base64 encoding and custom string-decoding routines in VBScript to hide its true functionality. (“The VBScript…implements a custom string-decoded routine by processing every two characters…”)
- [T1543.003] Create or Modify System Process: Windows Service – Persistence is established by creating shortcuts and batch scripts in startup folders to run payloads on system start. (“It then creates a new shortcut .lnk file…to execute the Batch script during system startup…”)
Indicators of Compromise
- [Domains] Malicious infrastructure used for payload delivery and command and control – t4[.]contactswebaccion[.]store, labodeguitaup[.]space, d1[.]webcorreio[.]pics, 93[.]127[.]200[.]211
- [IP Addresses] Payload and data exfiltration servers – 209[.]74[.]71[.]168, 93[.]127[.]200[.]211
- [File Hashes] Malware components identified by Fortinet – AutoIt script hash: 25be06643204fc7386db3af84b200d362c3287b30c7491b666c4fe821a8c6eb45, Batch script hash: 265a11951f6ac1fd1f150d2711e0158a59416dd709759b39904470f44c83272a3
- [File Names] Delivered and executed files – ADJUNTOS23042025.zip, winupdateversion686.exe, winupdateversion758.gif, winupdateversion_535.ia