A new malware campaign is exploiting the widespread use of WhatsApp to distribute banking trojans and steal sensitive information from Brazilian users. Attackers are leveraging sophisticated social engineering tactics, disguising malicious files as legitimate communications to breach user trust and infiltrate their devices. This burgeoning threat highlights the evolving landscape of cyberattacks, where popular communication platforms are increasingly weaponized.
The campaign, identified as part of the broader Water-Saci operation by K7 Security Labs, begins with phishing emails containing obfuscated VBScript attachments. These scripts are designed to bypass security software and lay the groundwork for further infection. The primary goal appears to be the compromise of financial data, targeting both traditional banking institutions and cryptocurrency wallets prevalent in Brazil.
Technical Breakdown of the Infection Mechanism
The infection chain commences with users receiving phishing emails that contain archived VBScript files. According to K7 Security Labs, these scripts employ significant obfuscation techniques, utilizing character-by-character string construction and XOR encryption to evade detection by antivirus and other security measures. This multi-layered approach makes the initial malicious code difficult to identify.
Following the deobfuscation of the VBScript, the malware downloads and installs essential components: Python and the Selenium WebDriver. This setup is crucial for enabling automated interaction with WhatsApp Web. The attackers have developed a Python script, referred to as `whats.py`, which takes control of an existing WhatsApp Web session on the victim’s machine.
This control is achieved by copying critical browser profile data, including cookies, local storage, and IndexedDB files, to a temporary directory. By utilizing Selenium’s `user-data-dir` argument, the script launches a Chrome browser instance pre-authenticated with the victim’s session. This ingenious method bypasses the need for QR code scanning, a standard security measure for accessing WhatsApp Web, thereby granting attackers direct access.
Once authenticated into WhatsApp Web, the malware injects helper JavaScript code obtained from a GitHub repository. This injected code grants the attackers access to WhatsApp’s internal API functions. Specifically, the malware can enumerate the victim’s contact list using functions like `WPP.contact.list`. It then systematically filters these contacts, excluding individuals associated with groups, business accounts, or those matching pre-defined number patterns specified by the attackers.
The harvested contact information is then batched and used to distribute the next stage of the infection. Attackers send malicious ZIP files to these contacts, effectively propagating the malware throughout the victim’s network. Simultaneously, detailed logs of the operation are transmitted back to a command-and-control server, often a PHP server controlled by the attackers. This process allows for the silent harvesting of contact details and the continuous spread of the campaign.
Beyond WhatsApp exploitation, the campaign also deploys an MSI installer. This installer places an AutoIt script alongside encrypted payload files. The AutoIt script establishes persistence on the victim’s system through registry modifications and continuously monitors active Windows applications. Its primary function is to detect the presence of banking-related keywords within active windows.
When applications associated with specific Brazilian financial institutions or cryptocurrency wallets are detected, the malware decrypts and loads its banking trojan directly into the system’s memory. This “in-memory” execution bypasses traditional file-based detection methods, as no malicious files are written to the disk, significantly reducing the chances of discovery by security software.
The Water-Saci campaign’s reliance on WhatsApp for distribution is a notable tactic, leveraging the immense trust users place in their contacts. This approach allows the attackers to spread their malicious payloads far and wide while remaining largely undetected. The memory-only execution of the banking trojan further enhances its stealth capabilities, making it a potent threat to financial security in Brazil.
Users are advised to exercise extreme caution regarding unsolicited emails and unexpected attachments, even if they appear to come from known contacts. Maintaining up-to-date antivirus software and regularly updating operating systems and applications can also provide an additional layer of defense against such evolving threats. The ongoing nature of the Water-Saci campaign suggests that continued vigilance and robust cybersecurity practices are essential for protecting sensitive information.