Horabot Banking Trojan Resurfaces in Mexico With Multi-Stage Phishing and Email Worm Tactics

Horabot, a well-known banking trojan, is back in an active campaign that is targeting users all over Mexico. It uses a multi-stage infection chain and an email worm to turn every infected machine into a phishing relay. The threat includes a Delphi-based banking trojan and a PowerShell-based spreader, making it one of the more complex financially motivated threats seen in Latin America.

A fake CAPTCHA page tells victims to open the Windows Run dialog and paste a harmful command to start the attack. Instead of taking advantage of a flaw in the software, attackers trick users into running a harmful HTA file that starts the infection chain without them knowing it. This method gets around a lot of endpoint defenses by making the victim an unwitting part of their own compromise.

Using the published YARA rules for the Horabot Delphi trojan and the AutoIT loader, along with the Suricata rule that looks for the double "##" C2 traffic pattern, will help find infections early. All shared indicators of compromise, such as domains and socket addresses that the attacker controls, should be added to network blocklists right away. Training users to be aware of fake CAPTCHA lures and PDF attachments with hidden buttons is still a very important part of defense.

Follow ZeroOwl on Facebook, LinkedIn, and X to get more immediate updates.