"The findings come close on the heels of another campaign dubbed Water Saci that has targeted Brazilian users with a worm that propagates via WhatsApp Web known as SORVEPOTEL, which then acts as a conduit for Maverick, a .NET banking trojan that's assessed to be an evolution of a .NET banking malware dubbed Coyote."
"The Eternidade Stealer cluster is part of a broader activity that has abused the ubiquity of WhatsApp in the South American country to compromise target victim systems and use the messaging app as a propagation vector to launch large-scale attacks against Brazilian institutions."
"Another notable trend is the continued preference for Delphi-based malware for threat actors targeting Latin America, largely driven not only because of its technical efficiency but also by the fact that the programming language was taught and used in software development in the region."
A multipart campaign targets Brazilian users by combining social engineering with WhatsApp hijacking to distribute the Delphi-based banking trojan Eternidade Stealer. The malware retrieves command-and-control addresses dynamically via IMAP, enabling threat actors to update C2 servers. The actor shifted from PowerShell to a Python script to hijack WhatsApp and propagate malicious attachments. The campaign is linked to other WhatsApp-based worms in Brazil, such as SORVEPOTEL and Maverick, and leverages the widespread use of WhatsApp as a propagation vector against institutions. The attack chain begins with an obfuscated Visual Basic Script that drops a batch script to deliver multiple payloads.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]