A widespread malware campaign is targeting WhatsApp users across several countries by sending deceptive messages containing malicious VBScript files that can ultimately grant attackers remote access to victims’ systems.
According to cybersecurity researchers at Kaspersky, the threat actors behind the campaign are disguising the malicious files as legitimate business and financial documents. These files are distributed through WhatsApp accounts that have already been compromised, making the messages appear trustworthy to recipients.
Once a victim downloads and executes the attachment, a multi-stage infection process begins. The attack eventually installs ManageEngine Endpoint Central, a legitimate system management tool commonly used by IT administrators to oversee devices from a centralized platform.
Kaspersky’s telemetry data indicates that the campaign has impacted users in Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia.
The attack starts with WhatsApp messages sent from compromised accounts. These messages typically contain only a heavily obfuscated VBScript file designed to evade detection.
To increase the likelihood of users opening the attachment, the files are named to resemble invoices, financial reports, billing records, account notifications, and other business-related documents. Researchers also observed that the filenames are adapted to different languages, highlighting the global nature of the operation.
“Based on evidence collected from multiple victims through social media reports and submitted samples, we can conclude that the threat actor had gained access to several WhatsApp accounts and used them to distribute the malicious VBScript files to contacts on the compromised users’ contact lists,” Kaspersky explains.
“At the time of writing, the exact method used to compromise these WhatsApp accounts remains unknown.”
If a Windows user opens the malicious file, the VBScript downloads two additional scripts from attacker-controlled servers. These scripts modify the Windows Registry to disable User Account Control (UAC) protections and retrieve a ZIP archive containing ManageEngine Endpoint Central.
The software is then installed silently in the background and configured to connect with servers controlled by the attackers. This setup provides cybercriminals with remote administration capabilities over the compromised machine.
Researchers noted a difference in execution behavior depending on the WhatsApp platform being used. When the file is received through WhatsApp Web, it must first be downloaded before execution. However, in the WhatsApp Desktop application, the file can be launched directly through Windows Script Host (wscript.exe).
Although Kaspersky has not attributed the campaign to a specific threat actor, investigators identified indicators suggesting the use of the Chinese language and found overlaps between the campaign’s infrastructure and IP addresses previously linked to ValleyRAT and Gh0st RAT operations.
Despite these fi
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: