Phishing campaign delivers Casbaneiro and Horabot banking trojans

A sophisticated, multi-pronged phishing campaign is actively targeting Spanish-speaking users in organizations across Latin America and Europe. The campaign aims to deliver potent Windows banking trojans, specifically Casbaneiro and Horabot, through a complex attack chain, according to a recent report by The Hacker News.The threat actor, identified as Brazilian cybercrime group Augmented Marauder and Water Saci, employs a unique delivery mechanism involving WhatsApp, ClickFix techniques, and email-based phishing. The initial attack vector is a phishing email containing a password-protected PDF attachment disguised as a court summons. Upon opening the PDF, users are directed to a malicious link that downloads a ZIP archive, leading to the execution of interim HTML Application (HTA) and VBS payloads.These scripts perform environment checks and retrieve further payloads from a remote server, ultimately deploying Casbaneiro and Horabot. Casbaneiro acts as the primary banking trojan, while Horabot serves as a propagation tool, using compromised email accounts to distribute phishing emails with dynamically generated PDF attachments to harvested contacts.Source:The Hacker News