Horus Protector Rewrites the Rules of Cyber Obfuscation

Threat Group: Unknown (French-speaking actors suspected)
Threat Type: Fully Undetectable (FUD) Malware Distribution Service
Exploited Vulnerabilities: Remote code execution via encoded Visual Basic (VBE) scripts
Malware Used: AgentTesla, Remcos, Snake, NjRat, SNAKE Keylogger
Threat Score: High (8.5/10) due to its highly obfuscated nature and persistent distribution of multiple malware families.
Last Threat Observation: October 16, 2024,

Overview

HORUS Protector is a newly identified malware distribution service designed as a Fully Undetectable (FUD) crypter that can bypass many antivirus (AV) protections. It delivers a range of dangerous malware strains, including AgentTesla, Remcos, Snake, NjRat, and the SNAKE Keylogger, using sophisticated obfuscation techniques such as encoded Visual Basic scripts (VBE) packed inside .zip archives.

This service is mainly distributed through cybercrime platforms like Telegram, where threat actors sell subscription-based plans, making advanced malware propagation accessible even to non-expert criminals. By updating frequently and monitoring AV detections, HORUS Protector ensures that its payloads remain undetected, posing a severe risk to organizations and individuals worldwide.

Key Details

• Delivery Method:
  HORUS Protector distributes malware through .zip archives that contain VBE-encoded Visual Basic scripts, which initiate the infection process once executed. Upon activation, these scripts establish communication with command-and-control (C2) servers to download additional payloads.
• Target:
  Both corporate organizations and individual users are vulnerable to this malware, especially when phishing emails or malicious download links are used.
• Functions:
  1. Multilayered propagation: HORUS Protector uses scripts stored in registry entries to initiate and maintain malware infections.
  2. Persistent payload delivery: Malware such as the SNAKE Keylogger can record sensitive user data like keystrokes, screenshots, and clipboard contents.
  3. C2 Communication: Downloaded payloads are fetched from a central C2 server.
  4. Advanced obfuscation: The malware uses process hollowing and registry-based obfuscation to hide its presence.
• Obfuscation Techniques:
  HORUS Protector employs various techniques to evade detection, including:
  • VBE-encoded scripts to launch payloads.
  • Registry manipulation to store and execute payloads in segments (e.g., segment1, segment2, etc.).
  • Process hollowing to inject malware into legitimate processes, such as MSBuild.exe.
  • Scheduled tasks to execute malicious scripts persistently.

Attack Vectors

HORUS Protector’s attack chain begins with a phishing email or malicious download, typically containing a .zip file. This archive includes VBE scripts, which, when executed, connect to a C2 server (defanged IP: hxxp://144[.]91[.]79[.]54). The scripts then download additional malware, such as Elfetah.exe, from URLs like hxxp://144[.]91[.]79[.]54/1109/file.

The downloaded files are stored in system registry keys, including [HKEY_CURRENT_USER\SOFTWARE\uOITNhlpKJsMLJx], where the malware stores encoded payloads. Through scheduled tasks, the scripts ensure persistence by running every minute.

HORUS Protector also checks for Windows Defender before executing the payload. If AV software is disabled, it proceeds to execute the final payload, often a keylogger or RAT.

Indicators of Compromise (IoCs)

To assist in identifying and mitigating this threat, here are defanged IoCs related to HORUS Protector:

File Hashes:

• MD5:
  • 8acccb571108132e1bbe7c4c60613f59
  • c39a2e4fbcce649cb5ac409d4a2e1b1f
  • fd4302cdfacbc18e723806fde074625b
• SHA1:
  • 6d1d8197029f5d5f0ad961178db8574fefb7a65b
• SHA256:
  • 899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4

C2 Infrastructure:

• Defanged IP: hxxp://144[.]91[.]79[.]54
• Malicious URLs:
  • hxxp://144[.]91[.]79[.]54/1109/file
  • hxxp://144[.]91[.]79[.]54/1109/H011yiDJHSNr3TuAtkpt.txt

Registry Keys:

• HKEY_CURRENT_USER\SOFTWARE\uOITNhlpKJsMLJx
• Subkeys: segment1, segment2, donn, s, and r

Mitigation and Prevention

1. User Awareness:
   Educate employees and users about phishing risks, especially files or links delivered in unexpected emails.
2. Email Filtering:
   Deploy advanced email filtering to detect suspicious attachments like .zip files, and block known malicious domains.
3. Endpoint Protection:
   Ensure all endpoints are protected by updated antivirus software capable of detecting and blocking the payloads associated with HORUS Protector.
4. Monitor Network Traffic:
   Watch for unusual outbound connections to known C2 IPs such as 144[.]91[.]79[.]54.
5. Scheduled Task Monitoring:
   Regularly audit task schedulers to check for unauthorized tasks.
6. Patch Management:
   Ensure all software is up to date, and that any vulnerabilities that might be exploited by HORUS Protector are patched promptly.

Conclusion

HORUS Protector is a significant and evolving threat, allowing even novice cybercriminals to deploy highly sophisticated malware payloads. With its focus on obfuscation, persistence, and malware-as-a-service (MaaS) offerings, this crypter presents a growing danger to organizations. Early detection and proactive defense strategies, including strong endpoint protection, email filtering, and user awareness training, are key to mitigating this threat.

Sources:

• OTX Alienvault: The New Malware Distribution Service
• SonicWall Security Labs: HORUS Protector Part 2: The New Malware Distribution Service
• Broadcom Security Center: Horus Protector