Hackers Exploit WhatsApp to Deploy Stealthy Malware Harvesting Logs and Contacts
A sophisticated malware campaign has recently emerged, targeting Brazilian users by exploiting WhatsApp as its primary distribution channel. This attack leverages social engineering tactics, capitalizing on the trust users place in their contacts to disseminate banking trojans and harvest sensitive information.
Infection Mechanism
The campaign initiates with phishing emails containing ZIP-archived Visual Basic Script (VBS) files. These scripts employ advanced obfuscation techniques, such as character encoding and XOR encryption, to evade detection by security software. Upon execution, the VBS script downloads and installs Python along with the Selenium WebDriver components, setting the stage for automated interactions with WhatsApp Web.
By injecting malicious JavaScript code into the victim’s browser session, the malware gains access to WhatsApp’s internal APIs. This allows it to enumerate contacts and distribute payloads seamlessly. Notably, the malware bypasses the usual QR code authentication by hijacking existing logged-in sessions, copying browser cookies and local storage data to maintain access.
Propagation and Persistence
Once embedded, the malware propagates by sending malicious messages to the victim’s WhatsApp contacts, effectively turning the compromised device into a distribution node. This method ensures rapid and widespread dissemination of the malware.
To establish persistence, the campaign deploys an MSI installer that drops an AutoIt script alongside encrypted payload files. This component modifies registry settings to maintain a foothold on the system. It continuously monitors active windows for banking-related keywords, decrypting and loading the banking trojan directly into memory upon detection. This fileless execution strategy evades traditional file-based detection methods.
Technical Breakdown
The initial VBS script’s obfuscation involves building strings character by character using `Chr()` functions and applying XOR operations to decode malicious commands. After deobfuscation, the script downloads two components: an MSI file and another VBS file. The latter drops a batch script that installs Python, ChromeDriver, and Selenium packages, automating the setup for WhatsApp manipulation without user intervention.
The Python script, named `whats.py`, takes control of the victim’s WhatsApp Web session by copying browser profile data, including cookies and local storage, to a temporary directory. Using Selenium’s `user-data-dir` argument, it launches Chrome with these credentials, effectively bypassing QR code authentication.
Implications and Recommendations
This campaign underscores the evolving tactics of cybercriminals who exploit trusted communication platforms to distribute malware. Users are advised to exercise caution with unsolicited messages, especially those containing attachments or links. Implementing robust security measures, such as up-to-date antivirus software and user education on phishing tactics, is crucial in mitigating such threats.
