[ad_1]
Cybersecurity researchers at Cisco Talos have spotted a new hacking campaign that they claim is targeting victims’ sensitive data, login credentials and email inboxes.
Horabot is described as a botnet that has been active for about two and a half years now (first seen in November 2020). During that time, it was mostly tasked with distributing banking trojans and spam malware.
Its operators appear to be based in Brazil, while its victims are mostly Spanish-speaking users located in Mexico, Uruguay, Venezuela Brazil, Panama, Argentina and Guatemala.
horabot botnet
Victims are found in a variety of industries, from investment firms to wholesale distribution, from construction to engineering and accounting.
The attack begins with an email message containing a malicious HTML attachment. Ultimately, the victim is urged to download a .RAR archive, which contains a banking trojan.
Malware is capable of a lot: stealing login credentials, logging keystrokes, and grabbing system information. By generating an invisible overlay, it is also able to grab one-time security codes from multi-factor authentication (MFA) apps, essentially bypassing this critical layer of security.
Additionally, the Trojan can take over victims’ email accounts, including Outlook, Gmail, and Yahoo. Threat actors will then use this access to send spam messages to all contacts saved in the inbox, making its distribution and infection chain somewhat random and untargeted. To some extent, the Trojan also acts as a remote desktop management tool, the researchers said, as it can create and delete directories and files from the victim’s endpoint.
Finally, the tool has a number of obscure features that prevent it from running in a sandbox environment, or next to a debugging tool, making discovery and subsequent analysis somewhat more difficult.
Via: Bleeping Computer










