Python-based Whatsapp Worm Spreads Eternidade Stealer Across...
Cybersecurity researchers have disclosed details of a new campaign that leverages a combination of social engineering and WhatsApp hijacking to distribute a Delphi-based banking trojan named Eternidade Stealer as part of attacks targeting users in Brazil.
"It uses Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control (C2) addresses, allowing the threat actor to update its C2 server," Trustwave SpiderLabs researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi said in a technical breakdown of the campaign shared with The Hacker News.
"It is distributed through a WhatsApp worm campaign, with the actor now deploying a Python script, a shift from previous PowerShell-based scripts to hijack WhatsApp and spread malicious attachments.
The findings come close on the heels of another campaign dubbed Water Saci that has targeted Brazilian users with a worm that propagates via WhatsApp Web known as SORVEPOTEL, which then acts as a conduit for Maverick, a .NET banking trojan that's assessed to be an evolution of a .NET banking malware dubbed Coyote.
The Eternidade Stealer cluster is part of a broader activity that has abused the ubiquity of WhatsApp in the South American country to compromise target victim systems and use the messaging app as a propagation vector to launch large-scale attacks against Brazilian institutions.
Another notable trend is the continued preference for Delphi-based malware for threat actors targeting Latin America, largely driven not only because of its technical efficiency but also by the fact that the programming language was taught and used in software development in the region.
The starting point of the attack is an obfuscated Visual Basic Script, which features comments written mainly in Portuguese. The script, once executed, drops a batch script that's responsible for delivering two payloads, effectively forking the infection chain into two -
The Python script, similar to SORVEPOTEL, establishes communication with a remote server and leverages the open-source project WPPConnect to automate the sending of messages in hijacked accounts via WhatsApp. To do this, it harvests a victim's entire contact list, while filtering out groups, business contacts, and broadcast lists.
The malware then proceeds to capture, for each contact, their WhatsApp phone number, name, and information signaling whether they are a saved contact. This information is sent to the attacker-controlled server over an HTTP
Source: The Hacker News
