Posted in

WhatsApp Hijack: Malware Targets Banking and Crypto Apps

by Rakesh0

A sophisticated malware campaign is targeting Brazilian users, leveraging WhatsApp as its primary distribution channel to spread banking trojans and harvest sensitive financial information. Researchers at K7 Security Labs have identified this variant as part of the broader Water-Saci campaign, which has been actively attacking financial institutions across Brazil.

How the Attack Works

The campaign begins with phishing emails containing ZIP archives of VBS scripts. These scripts use multi-layered obfuscation—including character encoding and XOR encryption—to evade detection by traditional security tools.

Once executed, the script:

  1. Downloads and installs Python, ChromeDriver, and Selenium WebDriver.
  2. Hijacks the victim’s WhatsApp Web session by copying browser cookies and local storage data.
  3. Injects malicious JavaScript into the browser to access WhatsApp’s internal APIs.

This approach bypasses QR code authentication, allowing attackers to automate message sending and spread malware across the victim’s contact network.

Technical Breakdown

  • Initial Payload: VBS script with obfuscation using Chr() and XOR operations.
  • Secondary Components: MSI installer drops AutoIt scripts and encrypted payloads.
  • Persistence: Registry modifications ensure malware survives reboots.
  • Banking Trojan Activation: Monitors active windows for Brazilian bank names or crypto wallet apps, then decrypts and loads trojan directly into memory, avoiding disk writes.

Why This Attack Is Dangerous

  • Exploits trust in WhatsApp contacts for social engineering.
  • Uses memory-only execution, making file-based detection ineffective.
  • Automates infection spread via WhatsApp Web APIs like:
    • WPP.contact.list
    • WPP.chat.sendTextMessage
    • WPP.chat.sendFileMessage

The malware also sends detailed logs back to attacker-controlled servers, enabling real-time monitoring of compromised systems.

Indicators of Compromise (IoCs)

  • Presence of whats.py Python script.
  • Chrome launched with --user-data-dir argument pointing to temporary profiles.
  • Suspicious outbound traffic to attacker PHP servers.

Defensive Recommendations

  • Block execution of VBS scripts from email attachments.
  • Monitor for unusual ChromeDriver and Selenium activity.
  • Implement behavioral detection for memory-only payloads.
  • Educate users on phishing awareness and WhatsApp session hijacking risks.

Key Takeaways

This campaign demonstrates how attackers combine social engineering, automation, and advanced obfuscation to compromise banking users at scale. Organizations and individuals should adopt multi-layered security measures to counter these evolving threats.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *