Microsoft Alerts Users to WhatsApp-Delivered VBS Malware Exploiting UAC Bypass
Microsoft has recently identified a sophisticated cyberattack campaign that leverages WhatsApp messages to distribute malicious Visual Basic Script (VBS) files, posing significant risks to Windows users. This campaign, which began in late February 2026, employs a multi-stage infection process designed to establish persistence and enable remote access on compromised systems.
Initial Infection Vector:
The attack initiates when users receive WhatsApp messages containing VBS files. Upon execution, these scripts create hidden directories within the C:\ProgramData folder and deploy renamed versions of legitimate Windows utilities. For instance, curl.exe is disguised as netapi.dll, and bitsadmin.exe is renamed to sc.exe. This tactic allows the malware to blend seamlessly with normal system activities, reducing the likelihood of detection.
Establishing Persistence and Privilege Escalation:
Once the initial foothold is secured, the malware aims to maintain control over the system and escalate its privileges. It achieves this by downloading additional VBS files hosted on reputable cloud services such as AWS S3, Tencent Cloud, and Backblaze B2. These auxiliary scripts are retrieved using the previously mentioned disguised binaries.
Subsequently, the malware manipulates User Account Control (UAC) settings to weaken system defenses. It persistently attempts to launch cmd.exe with elevated privileges, retrying until successful or until the process is forcibly terminated. Additionally, it modifies registry entries under HKLM\Software\Microsoft\Win and embeds mechanisms to ensure the infection persists through system reboots.
Deployment of Malicious Payloads:
With elevated privileges, the attackers deploy unsigned Microsoft Installer (MSI) packages. These packages may include legitimate tools like AnyDesk, which, when misused, provide persistent remote access to the compromised system. This access enables attackers to exfiltrate sensitive data or deploy additional malware payloads.
Sophisticated Attack Techniques:
This campaign exemplifies a sophisticated infection chain that combines social engineering via WhatsApp delivery, stealth techniques such as using renamed legitimate tools and hidden attributes, and cloud-based payload hosting. By leveraging trusted platforms and legitimate utilities, the attackers effectively evade detection and increase the success rate of their attacks.
Recommendations for Users:
To mitigate the risks associated with this campaign, users are advised to:
– Exercise Caution with Unsolicited Messages: Be wary of unexpected messages, especially those containing attachments or links, even if they appear to come from known contacts.
– Avoid Executing Unknown Scripts: Refrain from running scripts or executables from untrusted sources.
– Keep Systems Updated: Regularly update operating systems and software to patch known vulnerabilities.
– Utilize Security Solutions: Employ reputable antivirus and anti-malware solutions to detect and prevent malicious activities.
– Monitor System Activity: Regularly review system logs and network activity for signs of unauthorized access or anomalies.
By adhering to these practices, users can enhance their security posture and reduce the likelihood of falling victim to such sophisticated cyberattacks.
