LatAm email accounts targeted by novel Horabot malware campaign

BleepingComputer reports that several email accounts owned by Spanish-speaking users across Latin America have been hijacked by the newly discovered ongoing Horabot botnet campaign, which has been delivering a banking trojan and spam tool since November 2020. Tax-themed phishing emails with an HTML attachment purporting to be payment receipt are being sent by the suspected Brazil-based threat actor to targets, with the attachment prompting a URL redirection chain that eventually leads to the retrieval of a PowerShell downloader script and the Horabot binary, according to a Cisco Talos report. Also downloaded along the process is the "jli.dll" banking trojan featuring remote access capabilities that lures victims into inputting sensitive data, while the encrypted spam tool "_upyqta2_J.mdat" facilitates the theft of Gmail, Yahoo Mail, and Hotmail credentials that would then be leveraged for account takeovers and spam email generation and delivery to email contacts. The findings also showed that the Horabot payload enables enumeration of Outlook data file folders and emails. "It enumerates all folders and emails in the victim's Outlook data file and extracts email addresses from the emails' sender, recipients, CC, and BCC fields," said Cisco Talos researchers, who added that all files and folders created by the malware are being deleted upon the completion of phishing email distribution.