Cybersecurity researchers from Cisco Talos have spotted a new hacking campaign they claim is targeting victims’ sensitive data, login credentials, and email inboxes.
Cybersecurity researchers from Cisco Talos have spotted a new hacking campaign they claim is targeting victims’ sensitive data, login credentials, and email inboxes.
Its operators seem to be located in Brazil, while its victims are Spanish-speaking users located mostly in Mexico, Uruguay, Venezuela Brazil, Panama, Argentina, and Guatemala.
Horabot botnet
The victims are found in different industries, from investment firms to wholesale distribution, from construction to engineering, and accounting.
The attack starts with an email message carrying a malicious HTML attachment. Ultimately, the victim is urged to download a .RAR archive, which holds the banking trojan
The malware is capable of doing plenty of things: stealing login credentials, logging keystrokes, and grabbing system information. By generating an invisible overlay, it is also capable of grabbing one-time security codes from multi-factor authentication (MFA) apps, essentially bypassing this crucial layer of security.
Also, the trojan can take over the victims’ email accounts, including those from Outlook, Gmail, and Yahoo. The threat actors would then use this access to send spam messages to all of the contacts saved in the inbox, making its distribution and infection chain somewhat random and untargeted. To some extent, the trojan also works as a remote desktop management tool, as it can create and delete directories and files from the victim’s endpoint, the researchers said.
Finally, the tool has several obfuscation features that prevent it from running in a sandbox environment, or next to a debugging tool, making discovery and subsequent analysis somewhat more difficult.
Σχόλια