Brazilian users are emerging as targets for new self-propagation malware spread through the popular messaging app WhatsApp.
The campaign codenamed Sorvepotel by Trend Micro, armed with trust on the platform to extend reach across Windows systems, adding that the attacks are “designed for speed and propagation” rather than data theft or ransomware.
“Sorvepotel has been observed to spread across Windows systems by persuading phishing messages with malicious ZIP attachments,” said researchers Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, CJ Arsley Mateo, Jacob Santos and Paul John Bardon.
“Interestingly, phishing messages containing attachments of malicious files suggest that users need to open it on the desktop and that threat actors may be more interested in targeting businesses than consumers.”
Once the attachment is opened, the malware is automatically propagated through the desktop web version of WhatsApp, and ultimately banned infected accounts because they will participate in excessive spam. There is no indication that the threat actor has leveraged access to encrypt Exfiltrate data or files.
The majority of infectious diseases (457 out of 477 cases) are concentrated in Brazil, with entities in the government, public services, manufacturing, technology, education and construction sectors having the most impact.
The starting point for the attack is a phishing message sent from WhatsApp’s already compromised contacts. This message contains a zip attachment that disguises it as a seemingly harmless receipt or a health app-related file.
That said, there is evidence to suggest that the operator behind the campaign used email to distribute ZIP files from seemingly legitimate email addresses.
If the recipient drops on the trick and opens an attachment, they are invited to open a Windows Shortcut (LNK) file. This quietly triggers the execution of a PowerShell script to retrieve the main payload from an external server at startup (e.g. Sorvetenopoate[.]com).
The downloaded payload is a batch script designed to establish host persistence by automatically copying it to the Windows Startup folder, and is automatically launched following the start of the system. It is also designed to run PowerShell commands that reach the Command and Control (C2) server to get further instructions or additional malicious components.
At the heart of Sorvepotel’s operation is the propagation mechanism focused on WhatsApp. When Malware detects that WhatsApp Web is active on an infected system, it can distribute malicious ZIP files to all contacts and groups associated with the victim’s compromised account, and spread them quickly.
“This automated spread leads to a large number of spam messages and frequently leads to account suspension or banning due to violation of WhatsApp’s terms of service,” Trend Micro said.
“The Sorvepotel campaign shows how threat actors can increasingly leverage popular communication platforms like WhatsApp to achieve rapid, large-scale malware propagation with minimal user interaction.”
Source link
