Trustwave SpiderLabs researchers have uncovered a new and sophisticated banking trojan, dubbed Eternidade Stealer, which is being distributed through WhatsApp and employs advanced social engineering tactics. This malware represents a significant development in Brazil’s cybercriminal landscape, capable of harvesting extensive contact information and targeting financial institutions by stealing user credentials. The discovery highlights the growing threat of mobile-based malware and the continued exploitation of popular messaging platforms for malicious purposes.
Eternidade Stealer Uses WhatsApp Hijacking for Sophisticated Attacks
The sophisticated attack chain of Eternidade Stealer begins with an obfuscated VBScript file distributed via WhatsApp messages. Upon execution, this script downloads a batch file containing two primary malicious payloads. These include a Python-based WhatsApp worm designed to spread further and an MSI installer responsible for deploying the banking trojan itself. This distribution method leverages the inherent trust users place in messages from their contacts, increasing the likelihood of users interacting with malicious attachments.
Multi-Stage Infection and Geolocation Targeting
Trustwave security analysts have noted the malware’s remarkable sophistication, particularly its targeted approach towards Brazilian victims. A crucial aspect of its operation involves geolocation checks to verify if the operating system language is set to Brazilian Portuguese. If the language setting does not match, the malware displays an error message and terminates its execution. This prevents accidental infections outside its intended target region and serves as a defense mechanism against sandbox analysis, making it harder for security researchers to study the malware.
The core functionality of Eternidade Stealer revolves around the theft of entire WhatsApp contact lists, achieved through a function named obter_contatos(). This function executes JavaScript code utilizing the WPP.contact.list() API. The malware intelligently filters out non-personal contacts, such as groups, business accounts, and broadcast lists, focusing specifically on individual personal contacts who are more likely to be susceptible to phishing attempts. Each stolen contact record encompasses the full WhatsApp ID, contact name, phone number, and whether the contact is saved in the user’s address book.
After collecting this sensitive contact data, the malware immediately transmits it to a command-and-control (C2) server via HTTP POST requests, operating without any user interaction. Researchers observed that one threat actor’s infrastructure recorded 454 connection attempts globally. While a significant portion of traffic originated from the United States and European countries, the primary focus appears to be on Brazil, suggesting broader ambitions beyond its initial target market.
Dual-Layered Persistence and Financial Institution Targeting
What makes Eternidade Stealer particularly dangerous is its dual-layer persistence mechanism. The trojan employs hardcoded credentials to connect to an email account controlled by the threat actors via IMAP. This allows the attackers to dynamically update their C2 server infrastructure by sending instructions embedded in email subjects and bodies. This method ensures continuous communication and control, even if specific domains used for C2 are seized by law enforcement or security firms.
The malware has been observed targeting over 40 Brazilian financial institutions. Additionally, it targets popular payment services like MercadoPago and cryptocurrency exchanges such as Binance and Coinbase. When a victim accesses a targeted banking application or financial service, the trojan activates its overlay capabilities. It displays convincing fake login screens, designed to seamlessly trick users into divulging their sensitive credentials. This credential theft is a primary objective for the malware, enabling unauthorized access to user accounts.
Eternidade Stealer also possesses system reconnaissance capabilities. It collects detailed information about the victim’s system, including operating system details, installed antivirus software, public and local IP addresses, and a list of running processes. This reconnaissance data helps the threat actors determine the most effective attack vector and whether to proceed with credential theft or the deployment of banking overlays. This holistic approach allows for a more tailored and effective attack against each victim.
Future Outlook and Uncertainties
The ongoing evolution of mobile malware like Eternidade Stealer underscores the need for continuous vigilance from both users and security professionals. As messaging platforms remain a primary communication channel, they will likely continue to be exploited for malware distribution. The dynamic nature of the C2 infrastructure, facilitated by email communication, presents a significant challenge for tracking and disrupting the malware’s operations. The broader attack ambitions suggested by international traffic patterns indicate that threat actors may expand their target list beyond Brazil in the future, requiring a global response from cybersecurity agencies.