Redazione RHC : 14 October 2025 07:20
Sophos analysts have discovered a complex malware operation by security experts that uses the popular messaging service WhatsApp to spread banking Trojans, targeting Brazilian banks and cryptocurrency exchanges.
A self-replicating malware emerged on September 29, 2025, featuring advanced evasion techniques and a complex, multi-stage infection chain designed to bypass current security protections. The attack campaign had a widespread impact, affecting more than 1,000 endpoints across over 400 customer environments, demonstrating the effectiveness and vast reach of the threat.
The attack occurs when victims download a malicious ZIP archive via WhatsApp Web from a previously infected contact. The social engineering component is particularly clever as the message claims that the attached content can only be viewed on a computer , thus tricking recipients into downloading and running the malware on desktop systems rather than mobile devices.
While investigating several incidents in Brazil, Sophos analysts discovered the complex infection mechanism used by the malware. This tactical approach allows the malware to operate in a stable environment and fully activate its payload capabilities.
The malware begins execution with a malicious Windows LNK file hidden within the ZIP archive . Once executed, the LNK file contains an obfuscated Windows command that creates and executes a Base64-encoded PowerShell command.
Portuguese comments embedded in the PowerShell code reveal the author’s intention to “add an exclusion in Microsoft Defender” and “disable UAC” (User Account Control). These changes create a permissive environment in which the malware can operate without triggering security alerts or requiring user interaction for privileged operations.
This first-stage PowerShell script secretly launches an Explorer process that downloads the next-stage payload from command-and-control servers , including hxxps[:]//www.zapgrande[.]com, expansiveuser[.]com, and sorvetenopote[.]com.
The threat actors demonstrate considerable familiarity with Windows security architecture and PowerShell features, using obfuscation methods that allow the malware to operate undisturbed for extended periods of time.
The campaign delivers two distinct payloads depending on the characteristics of the infected system: a legitimate Selenium browser automation tool with corresponding ChromeDriver and a banking Trojan named Maverick.
The Selenium payload functionality allows attackers to manage currently active browser sessions, making it easier to intercept WhatsApp web sessions and trigger the worm’s self-propagation process.
Redazione