Water Saci Hackers Exploit AI to Launch Sophisticated Attacks on WhatsApp Web Users
In a concerning development, cybercriminals have intensified their efforts by launching a sophisticated campaign known as Water Saci, targeting Brazilian users through WhatsApp Web. This campaign employs advanced artificial intelligence (AI) techniques to distribute banking trojans, aiming to steal sensitive financial information.
Infection Mechanism
The attack begins when victims receive seemingly legitimate messages containing malicious attachments. These attachments often come in the form of ZIP archives, PDF files masquerading as Adobe updates, or HTA files with specific naming patterns like A-{random}.hta. Upon opening these files, a multi-stage attack sequence is initiated, involving Visual Basic scripts and MSI installers. This sequence stealthily downloads a banking trojan while deploying automation scripts designed to hijack the victim’s WhatsApp session, facilitating further propagation of the malware.
AI-Driven Evolution
Trend Micro security analysts have identified a significant shift in the malware’s development, with attackers leveraging AI to enhance their capabilities. By utilizing Large Language Models (LLMs), the attackers have translated and optimized their propagation code, transitioning from PowerShell to a more robust Python-based infrastructure. This strategic shift enhances the malware’s ability to spread across various browsers, including Chrome, Edge, and Firefox, making detection more challenging for standard security protocols.
Technical Insights
A critical component of this evolution is the whatsz.py script, which replaces earlier PowerShell variants. Analysis reveals evidence of AI-assisted coding, such as script headers explicitly stating Versao Python Convertido de PowerShell and comments like version optimized with errors handling. The script utilizes component files like chromedriver.exe to automate the infection process, employing Selenium to inject the WA-JS library, extract contact lists, and send malicious files in bulk to unsuspecting victims.
The Python code exhibits a sophisticated object-oriented structure with advanced error handling, features typically absent in quick manual ports. For instance, the main automation class defines clear formatting for various statuses, ensuring reliable execution. Additionally, the console output includes colorful emojis, a trait rarely seen in standard malware but common in AI-generated codebases. This advanced automation allows the malware to operate autonomously, pausing and resuming tasks to blend in with normal network traffic while reporting progress to a command-and-control server.
Implications and Recommendations
The Water Saci campaign underscores the evolving threat landscape, where cybercriminals increasingly harness AI to enhance the sophistication and effectiveness of their attacks. Users are advised to exercise caution when receiving unsolicited messages, especially those containing attachments or links. Implementing robust security measures, such as up-to-date antivirus software and multi-factor authentication, can help mitigate the risk of infection.
