- Worm Spread: Python-scripted WhatsApp worm targets Brazil, hijacking accounts to send a Delphi-based banking trojan, Eternidade Stealer.
- Infection Path: Starts with obfuscated VBScript, drops Python and MSI payload for WhatsApp regeneration and stealthy malware launch.
- Attack Method: Uses WPPConnect to auto-send fake messages from hijacked contacts, harvesting names and numbers to propagate.
- Target Focus: Brazilian banking apps (Bradesco, BTG Pactual), crypto wallets (MetaMask, Coinbase), and payment platforms like Stripe.
- Stealth and Persistence: Injects into svchost.exe, checks system language (Portuguese Brazil), and monitors security processes to avoid detection.
Security researchers at Trustwave SpiderLabs uncovered this campaign using a novel mix of social engineering and WhatsApp hijacking, leveraging the messaging app’s Web interface to self-replicate quickly and spread the Delphi-based malware. This marks a shift as threat actors move from PowerShell to Python for automation, targeting the widely popular messaging channel in Brazil.
Eternidade Stealer aggressively scans active windows and processes for bank app logins or cryptocurrency wallets, activating only when relevant apps appear to avoid sandbox detection. The malware connects to a command-and-control server fetched through an email inbox, allowing attackers to update or alter operations remotely, ensuring resilience even when parts of the infrastructure are taken down.
Victims should watch for suspicious WhatsApp activity, unexpected script executions, or MSI installers, and ensure up-to-date system monitoring and endpoint protections due to the malware’s complex evasion techniques.
Additional Information
The Hacker News – WhatsApp Worm Analysis | Trustwave SpiderLabs Reports
Image source
