Malicious Campaign Targets WhatsApp Users
A new social engineering campaign is weaponizing WhatsApp direct messages to distribute malicious Visual Basic Script (VBScript) files. According to cybersecurity firm Kaspersky, the active operation targets users of WhatsApp Desktop and WhatsApp Web across a wide geographic area, including Malaysia, Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam. The highest concentration of victims has been recorded in Malaysia.
The attackers employ deceptive file names designed to impersonate legitimate business and financial documents. Examples such as “Financial Reports.vbs” and “Account Statement.vbs” are used to trick recipients into downloading and executing the malicious attachment. Some files are named in other languages including Portuguese, French, German, and Malay, reflecting the global nature of the campaign.
Infection Chain and Objectives
Once a victim executes the heavily obfuscated VBScript file using “WScript.exe,” it initiates a multi-stage infection process. The script fetches and runs additional VBScript components from a remote server. One of these components attempts to tamper with Windows User Account Control (UAC) settings, while another downloads and executes a ZIP archive containing the installation package for ManageEngine RMM Central, a legitimate Remote Monitoring and Management (RMM) tool.
The infection chain varies slightly depending on whether the victim uses WhatsApp Web or the Desktop application. With the web version, the user must manually download the file and open it. In the Desktop version, however, the malware is executed directly within the application, with the background process “WhatsApp.Root.exe” spawning “WScript.exe.” The attackers’ ultimate goal is to gain remote access to the victim’s system through the installed RMM software.
Source: The Hacker News
