Malware Family and Delivery Mechanism

Horabot is a PowerShell-based botnet program that functions as a dropper and orchestration layer for secondary payloads, most notably the Casbaneiro banking trojan (also tracked as Metamorfo). The campaign targets Spanish-speaking users inside organizations across Latin America and Europe, with confirmed activity in Mexico, Chile, Colombia, Spain, and Portugal.

Delivery begins with phishing emails written in Spanish, designed to appear as financial notifications, invoice alerts, or tax documents. The emails carry malicious HTML or ZIP attachments that, when opened, initiate a multi-stage infection chain. The chain leverages legitimate cloud storage services and content delivery infrastructure to stage intermediate payloads, reducing the likelihood of domain-based blocking at the email gateway.

The Brazilian cybercrime group behind this activity is tracked by Cisco Talos as Augmented Marauder and by Trend Micro as Water Saci. Trend Micro first publicly documented this threat actor's tooling and infrastructure in reporting that attributed the campaign to Brazilian-origin operators based on Portuguese-language artifacts in the code, Brazilian IP space for C2 registration, and overlapping infrastructure with prior Brazilian banking trojan campaigns.

Capabilities

Persistence

Horabot establishes persistence on infected Windows hosts by writing scheduled tasks via schtasks.exe. The tasks execute encoded PowerShell commands that re-download and re-execute the dropper components on a timed interval. Registry-based persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run has also been observed in analyzed samples, providing a redundant execution trigger.

Casbaneiro Payload: Credential and Banking Data Exfiltration

Once Horabot deploys Casbaneiro, the trojan performs the following actions on the victim host:

  • Overlay attacks: Monitors foreground windows for banking portals and Outlook Web Access. When a target application is detected, Casbaneiro renders a full-screen fake overlay to harvest credentials.
  • Clipboard hijacking: Intercepts and replaces copied cryptocurrency wallet addresses and banking account strings.
  • Keylogging: Captures keystrokes inside targeted financial applications and webmail clients.
  • Screenshot capture: Takes periodic screenshots and stores them locally before transmission to C2.
  • Email account abuse: Using harvested Outlook credentials, Casbaneiro accesses the victim's mailbox and sends additional phishing emails to contacts, propagating the campaign without requiring the threat actor to source new victims directly.

Command and Control

Horabot communicates with attacker-controlled infrastructure over HTTPS using domains registered through privacy-shielded registrars, frequently rotating within .xyz, .top, and .site TLDs. C2 traffic is encoded and mimics legitimate web requests to reduce detection by network-layer security tools. Casbaneiro uses a separate C2 channel, historically hosted on compromised Brazilian hosting providers and, in more recent samples, on Amazon AWS and Microsoft Azure virtual machines to blend into expected cloud egress traffic.

Affected Platforms

  • Operating Systems: Windows 7 through Windows 11 (32-bit and 64-bit)
  • Applications targeted for overlay attacks: Banco Bradesco, Banco Itaú, Santander, BBVA, Banorte, Scotiabank Mexico, and Microsoft Outlook (desktop and OWA)
  • Sectors: Financial services, insurance, manufacturing, and government entities with Spanish-speaking employee populations

No macOS or Linux variants of Horabot or Casbaneiro have been confirmed in public analysis as of mid-2024.

Detection Signatures

SOC teams should implement the following detections across SIEM, EDR, and network monitoring platforms:

YARA (Horabot dropper):

rule Horabot_Dropper_PS1 {
  strings:
    $ps_enc = "powershell -enc" nocase
    $schtask = "schtasks /create" nocase
    $download = "DownloadString" nocase
    $hb_marker = "horabot" nocase
  condition:
    3 of them
}

Sigma (Scheduled Task Creation by PowerShell): Map to Sysmon Event ID 1 with CommandLine containing schtasks and powershell within the same process tree originating from a browser or email client child process.

Network IOCs:

  • Block outbound connections to .xyz, .top, and .site TLDs that are newly registered (less than 30 days old) from endpoints where no business justification exists.
  • Alert on HTTPS POST requests to cloud-hosted IPs (AWS, Azure) originating from outlook.exe or powershell.exe process context.

Email Gateway Rules:

  • Quarantine HTML attachments with embedded <script> tags referencing external URLs combined with Spanish-language lure subjects.
  • Flag ZIP attachments containing .js, .vbs, or .lnk files delivered to Spanish-language mail recipients.

Removal Guidance

  1. Isolate the host from the network immediately upon confirmed infection to prevent Casbaneiro from sending phishing emails from the victim's mailbox.
  2. Revoke and rotate credentials for all email accounts, banking portals, and VPN profiles accessible from the infected system. Assume all credentials entered on the host since the earliest estimated infection date are compromised.
  3. Delete scheduled tasks created by Horabot: run schtasks /query /fo LIST /v and remove entries with encoded PowerShell in the task action field.
  4. Remove registry persistence keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run referencing PowerShell or unsigned executables in %APPDATA% or %TEMP%.
  5. Terminate and delete Casbaneiro binaries: EDR tools from CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint detect Casbaneiro under detection names including Trojan:Win32/Casbaneiro, TSPY_CASBANEIRO, and BankerX. Run a full offline scan after removing persistence mechanisms.
  6. Audit the victim's sent mail folder for outbound phishing messages and notify any external recipients who may have received malicious emails from the compromised account.
  7. Reimage the endpoint if forensic integrity is required or if full removal cannot be confirmed through EDR telemetry.