Cybersecurity researchers have revealed a new campaign using WhatsApp to distribute a Windows banking trojan known as Astaroth, targeting users in Brazil. This operation, dubbed Boto Cor-de-Rosa by Acronis Threat Research Unit, leverages the messaging platform to spread the malware further.
The campaign operates by retrieving the victim’s WhatsApp contact list and subsequently sending out malicious messages to each contact, exacerbating the spread of the infection. Acronis noted that while the core Astaroth software is still developed in Delphi and its installer relies on Visual Basic script, the novel WhatsApp worm component is crafted entirely in Python. This shift indicates a trend where threat actors utilize multi-language modular components for their attacks.
Astaroth has been active since 2015, primarily targeting Latin American users for data theft. Recent threat clusters, such as PINEAPPLE and Water Makara, have previously utilized phishing emails to distribute the malware. The latest tactic involving WhatsApp has emerged due to the platform’s popularity in Brazil, as evidenced by similar recent attacks reported by Trend Micro.
Acronis’ findings suggest that over 95% of affected devices are located in Brazil, with smaller numbers in the U.S. and Austria. The malware’s distribution method involves ZIP files containing a downloader script that fetches additional payloads, including PowerShell or Python scripts for managing user data and promoting further infection.
Once the victim extracts and launches the archive, they encounter a Visual Basic Script disguised as a harmless file. Executing this script initiates the malware infection.
The attack features two primary modules:
- A Python-based module that collects the victim’s WhatsApp contacts and sends them a harmful ZIP file, propagating the malware like a worm.
- A banking module that silently monitors the victim’s web activity, activating when banking sites are accessed to steal credentials for financial gain.
Acronis also noted that the malware includes a tracking mechanism to monitor and report propagation metrics in real time, logging details such as successful deliveries and failures.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.