BleepingComputer reports that several email accounts owned by Spanish-speaking users across Latin America have been hijacked by the newly discovered ongoing Horabot botnet campaign, which has been delivering a banking trojan and spam tool since November 2020.
Tax-themed phishing emails with an HTML attachment purporting to be payment receipt are being sent by the suspected Brazil-based threat actor to targets, with the attachment prompting a URL redirection chain that eventually leads to the retrieval of a PowerShell downloader script and the Horabot binary, according to a Cisco Talos report.
Also downloaded along the process is the "jli.dll" banking trojan featuring remote access capabilities that lures victims into inputting sensitive data, while the encrypted spam tool "_upyqta2_J.mdat" facilitates the theft of Gmail, Yahoo Mail, and Hotmail credentials that would then be leveraged for account takeovers and spam email generation and delivery to email contacts. The findings also showed that the Horabot payload enables enumeration of Outlook data file folders and emails.
"It enumerates all folders and emails in the victim's Outlook data file and extracts email addresses from the emails' sender, recipients, CC, and BCC fields," said Cisco Talos researchers, who added that all files and folders created by the malware are being deleted upon the completion of phishing email distribution.
While malware and ransomware tend to dominate cybersecurity headlines, Fortra’s research shows that nearly 99% of email threats reaching corporate inboxes utilize impersonation rather than malware. Email impersonation is a key component of credential phishing, advance fee fraud, hybrid vishing, and business email compromise schemes. Because email i...
BleepingComputer reports that individuals who have filed claims against bankrupt cryptocurrency lender Celsius have been subjected to phishing attacks involving the impersonation of the lender's claims agent, Stretto.