THE article analyzes a targeted cyber attack involving a threat named Horabot, combining a banking Trojan and an email spreading mechanism. It begins with an alert detected in a customer's environment leading the Kaspersky team to investigate the threat's infrastructure.
The attack chain is detailed across four stages: 1) Initial lure through a fake CAPTCHA page that deceives users into executing malicious commands; 2) A polymorphic VBScript that modifies its code with each access to evade detection; 3) An AutoIT script that unpacks a banking Trojan into memory, capable of stealing sensitive information; and 4) A PowerShell-based spreader that emails phishing content and collects email addresses for further attacks.
Detection strategies, including YARA rules and hunting queries, are provided to help identify Horabot activities. Indicators of Compromise (IoCs) such as malicious URLs and file hashes are also shared to assist in recognizing Horabot-related threats.