Whatsapp Malware 'maverick' Hijacks Browser Sessions To Target...

Threat hunters have uncovered similarities between a banking malware called Coyote and a newly disclosed malicious program dubbed Maverick that has been propagated via WhatsApp.

According to a report from CyberProof, both malware strains are written in .NET, target Brazilian users and banks, and feature identical functionality to decrypt, targeting banking URLs and monitor banking applications. More importantly, both include the ability to spread through WhatsApp Web.

Maverick was first documented by Trend Micro early last month, attributing it to a threat actor dubbed Water Saci. The campaign involves two components: A self-propagating malware referred to as SORVEPOTEL that's spread via the desktop web version of WhatsApp and is used to deliver a ZIP archive containing the Maverick payload.

The malware is designed to monitor active browser window tabs for URLs that match a hard-coded list of financial institutions in Latin America. Should the URLs match, it establishes contact with a remote server to fetch follow-on commands to gather system information and serve phishing pages to steal credentials.

Cybersecurity firm Sophos, in a subsequent report, was the first to raise the possibility of whether the activity could be related to prior reported campaigns that disseminated Coyote targeting users in Brazil and if Maverick is an evolution of Coyote. Another analysis from Kaspersky found that Maverick did contain many code overlaps with Coyote, but noted it's treating it as a completely new threat targeting Brazil en masse.

The latest findings from CyberProof show that the ZIP file contains a Windows shortcut (LNK) that, when launched by the user, runs cmd.exe or PowerShell to connect to an external server ("zapgrande[.]com") to download the first-stage payload. The PowerShell script is capable of launching intermediate tools designed to disable Microsoft Defender Antivirus and UAC, as well as retrieve a .NET loader.

The loader, for its part, features anti-analysis techniques to check for the presence of reverse engineering tools and self-terminate if found. The loader then proceeds to download the main modules of the attack: SORVEPOTEL and Maverick. It's worth mentioning here that Maverick is only installed after ensuring that the victim is located in Brazil by checking the time zone, language, region, and date and time format of the infected host.

CyberProof said it also found evidence of the malware being used to single out hotels in Brazil, indica

Source: The Hacker News