Cybersecurity researchers have revealed details of a new campaign that combines social engineering and WhatsApp hijacking to distribute a Delphi-based banking Trojan named Eternidade Stealer as part of an attack targeting users in Brazil.
“It uses Internet Message Access Protocol (IMAP) to dynamically obtain a command and control (C2) address, allowing the attacker to update the C2 server,” said Trustwave SpiderLabs researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi in technical details of the campaign shared with The Hacker News.
“It is being distributed through a WhatsApp worm campaign, with the attackers now deploying a Python script from a previous PowerShell-based script to hijack WhatsApp and spread malicious attachments.
This discovery comes on the heels of another campaign called Water Saci that targeted users in Brazil with a worm propagated via WhatsApp Web known as SORVEPOTEL. The worm acts as a vector for the Maverick .NET banking Trojan, which is believed to be an evolution of the .NET banking malware known as Coyote.
The Eternidade Stealer cluster is part of a broader operation that exploits WhatsApp’s popularity in the South American country to use the messaging app as a propagation vector to compromise targeted victims’ systems and launch large-scale attacks against Brazilian institutions.
Another notable trend is that Delphi-based malware continues to be the preferred choice for attackers targeting Latin America. This is mainly due to the fact that programming languages were taught and used for software development in this region, as well as for their technical efficiency.
The starting point of the attack is an obfuscated Visual Basic script that features comments written primarily in Portuguese. When executed, this script drops a batch script that delivers two payloads, effectively forking the infection chain in two.
Python script that triggers WhatsApp Web-based distribution of malware in a worm-like manner MSI installer that leverages AutoIt script to launch Eternidade Stealer
A Python script similar to SORVEPOTEL establishes communication with a remote server and leverages the open source project WPPConnect to automate sending messages via WhatsApp to hijacked accounts. It does this by collecting the victim’s entire contact list while excluding groups, business contacts, and broadcast lists.
The malware then captures information for each contact, including their WhatsApp phone number, name, and whether it is a saved contact. This information is sent to an attacker-controlled server via an HTTP POST request. In the final stage, the malicious attachment is sent to all contacts in the form of a malicious attachment by utilizing a messaging template and entering time-based greetings and contact names in specific fields.
The second stage of the attack begins with the MSI installer dropping several payloads. This includes an AutoIt script that checks if the operating system language is Brazilian Portuguese to determine if a compromised system is based in Brazil. Otherwise, the malware will self-terminate. This indicates a very localized targeting activity on the part of the attacker.
The script then scans running processes and registry keys for the presence of installed security products. It also profiles machines and sends details to a command and control (C2) server. The attack culminates with the malware injecting the Eternidade Stealer payload into ‘svchost.exe’ using process hollowing.
Eternidade, a Delphi-based credential stealer, continuously scans active windows and running processes for strings related to banking portals, payment services, and crypto exchanges and wallets, including Bradesco, BTG Pactual, MercadoPago, Stripe, Binance, Coinbase, MetaMask, and Trust Wallet.
“Such behavior reflects classic banker and overlay stealer tactics, where the malicious component remains dormant until the victim opens the targeted banking or wallet application, triggering the attack only in the relevant context, and remaining invisible to ordinary users and sandbox environments,” the researchers said.
Once a match is found, it connects to a C2 server and retrieves the details from your inbox linked to terra.com.[.]br email address. It reflects a tactic Water Saci has recently adopted. This allows attackers to update the C2, maintain persistence, and evade detection and deletion. If the malware is unable to connect to your email account using hard-coded credentials, it uses a fallback C2 address embedded in the source code.
As soon as a connection is established with the server, the malware waits for incoming messages and is processed and executed on the infected host, allowing the attacker to log keystrokes, capture screenshots, and steal files. Some of the notable commands are listed below.
<|OK|>collect system information. <|PING|>monitors user activity and reports the currently active window. <|PedidoSenhas|>sends a custom overlay against credential theft based on the active window.
According to Trustwave, two panels were discovered after analyzing the threat actor’s infrastructure. One is for managing the redirector system, and the other is a login panel that was likely used to monitor infected hosts. The redirector system includes logs that show the total number of visits and blocks for connections attempting to reach C2 addresses.
The system only allows access to machines located in Brazil and Argentina, but blocked connections are redirected to “google”.[.]Statistics recorded on the panel show that 452 out of 454 visits were blocked due to geofencing restrictions. Only the remaining two visits are said to have been redirected to the campaign’s target domain.
Of the 454 communications records, 196 connections originated from the United States, followed by the Netherlands (37), Germany (32), the United Kingdom (23), France (19), and Brazil (3). There were 115 connections made by the Windows operating system, but panel data shows there were also connections from macOS (94), Linux (45), and Android (18).
“Although the malware family and delivery vector are primarily Brazilian, the potential operational footprint and victim exposure is much more global,” Trustwave said. “Cybersecurity defenders should remain vigilant for suspicious WhatsApp activity, unexpected MSI or script execution, and indicators related to this ongoing campaign.”
Source link
