WhatsApp Worm Propagates Astaroth Banking Trojan Across Brazil
Cybersecurity experts have recently uncovered a sophisticated campaign leveraging WhatsApp to disseminate the Astaroth banking trojan, primarily targeting users in Brazil. Dubbed Boto Cor-de-Rosa by the Acronis Threat Research Unit, this operation signifies a notable evolution in malware distribution tactics.
The Astaroth trojan, also known as Guildma, has been active since 2015, predominantly affecting Latin American countries, with Brazil being a primary target. Its primary function is to steal sensitive data, including banking credentials, from infected systems. Historically, Astaroth has been disseminated through phishing emails and malicious attachments. However, the current campaign introduces a novel propagation method by exploiting WhatsApp’s extensive user base in Brazil.
Mechanism of Infection:
The infection process initiates when a victim receives a WhatsApp message containing a ZIP file from a trusted contact. This ZIP file houses a Visual Basic Script (VBS) disguised as a legitimate document. Upon execution, the VBS downloads and runs additional components, setting the stage for the malware’s deployment.
The attack comprises two primary modules:
1. Propagation Module: Written entirely in Python, this module extracts the victim’s WhatsApp contact list and autonomously sends the malicious ZIP file to each contact. This self-propagating behavior enables the malware to spread rapidly, mimicking worm-like characteristics.
2. Banking Module: Operating stealthily in the background, this module monitors the victim’s web activity. When the user accesses banking-related websites, the malware activates to capture login credentials and other sensitive information, facilitating financial theft.
Acronis researchers have noted that the malware includes a mechanism to track its propagation metrics in real-time. It logs statistics such as the number of messages successfully delivered, failed attempts, and the rate of message transmission per minute.
Evolution of Tactics:
The adoption of WhatsApp as a distribution vector marks a significant shift in malware dissemination strategies. Given WhatsApp’s widespread usage in Brazil, this method capitalizes on the inherent trust users place in messages from known contacts, thereby increasing the likelihood of successful infections.
This approach is not isolated. In December 2025, Trend Micro detailed a similar campaign by the threat actor Water Saci, which utilized WhatsApp to spread the Maverick banking trojan and a variant of Casbaneiro. These campaigns underscore a growing trend among cybercriminals to exploit popular messaging platforms for malware distribution.
Technical Insights:
The core Astaroth payload remains written in Delphi, a language commonly used in Latin American malware development. The installer relies on Visual Basic Script, while the newly added WhatsApp-based worm module is implemented entirely in Python. This multi-language approach highlights the threat actors’ adaptability and their use of modular components to enhance the malware’s functionality and resilience.
The Python-based propagation module’s use of WhatsApp for spreading the malware is particularly concerning. By automating the sending of malicious messages to all contacts, the malware can achieve rapid and widespread distribution. This method also increases the challenge for cybersecurity defenses, as the messages originate from trusted contacts, reducing the likelihood of suspicion.
Implications and Recommendations:
The emergence of this campaign has several implications:
– Increased Risk of Infection: Users are more likely to trust and open messages from known contacts, leading to higher infection rates.
– Rapid Spread: The worm-like behavior facilitates swift propagation across networks, potentially leading to large-scale outbreaks.
– Financial Threat: The banking module’s ability to harvest credentials poses a significant risk to users’ financial security.
To mitigate these risks, users are advised to:
– Exercise Caution: Be wary of unsolicited messages containing attachments, even from known contacts.
– Verify Authenticity: Confirm the legitimacy of unexpected files or links through alternative communication channels before opening them.
– Maintain Updated Security Software: Ensure that antivirus and anti-malware programs are up-to-date to detect and prevent infections.
– Educate Users: Raise awareness about such threats and promote safe online practices within organizations and communities.
The use of WhatsApp as a vector for malware distribution represents a concerning evolution in cyber threats. As cybercriminals continue to exploit trusted communication platforms, it is imperative for users and organizations to remain vigilant and adopt proactive security measures to safeguard against such sophisticated attacks.
