Brazil Hit By Banking Trojan Spread Via Whatsapp Worm And Relaynfc...

The threat actor known as Water Saci is actively evolving its tactics, switching to a sophisticated, highly layered infection chain that uses HTML Application (HTA) files and PDFs to propagate via WhatsApp a worm that deploys a banking trojan in attacks targeting users in Brazil.

The latest wave is characterized by the attackers shifting from PowerShell to a Python-based variant that spreads the malware in a worm-like manner over WhatsApp Web.

"Their new multi-format attack chain and possible use of artificial intelligence (AI) to convert propagation scripts from PowerShell to Python exemplifies a layered approach that has enabled Water Saci to bypass conventional security controls, exploit user trust across multiple channels, and ramp up their infection rates," Trend Micro researchers Jeffrey Francis Bonaobra, Sarah Pearl Camiling, Joe Soares, Byron Gelera, Ian Kenefick, and Emmanuel Panopio said.

In these attacks, users receive messages from trusted contacts on WhatsApp, urging them to interact with malicious PDF or HTA attachments and activate the infection chain and ultimately drop a banking trojan that can harvest sensitive data. The PDF lure instructs victims to update Adobe Reader by clicking on an embedded link.

Users who receive HTA files are deceived into executing a Visual Basic Script immediately upon opening, which then runs PowerShell commands to fetch next-stage payloads from a remote server, an MSI installer for the trojan and a Python script that's responsible for spreading the malware via WhatsApp Web.

"This newly observed variant allows for broader browser compatibility, object-oriented code structure, enhanced error handling, and faster automation of malware delivery through WhatsApp Web," Trend Micro said. "Together, these changes make propagation faster, more resilient to failure, and easier to maintain or extend."

The MSI installer, for its part, serves as a conduit for delivering the banking trojan using an AutoIt script. The script also runs checks to ensure that only one instance of the trojan is running at any given point of time. It accomplishes this by verifying the presence of a marker file named "executed.dat." If it does not exist, the script creates the file and notifies an attacker-controlled server ("manoelimoveiscaioba[.]com").

Other AutoIt artifacts uncovered by Trend Micro have also been found to verify whether the Windows system language is set to Portuguese (Brazil), proceeding further to scan the infected sys

Source: The Hacker News