
"The campaign, codenamed SORVEPOTEL by Trend Micro, weaponizes the trust with the platform to extend its reach across Windows systems, adding the attack is "engineered for speed and propagation" rather than data theft or ransomware. "SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments," researchers Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, Cj Arsley Mateo, Jacob Santos, and Paul John Bardon said."
"Once the attachment is opened, the malware automatically propagates via the desktop web version of WhatsApp, ultimately causing the infected accounts to be banned for engaging in excessive spam. There are no indications that the threat actors have leveraged the access to exfiltrate data or encrypt files. The vast majority of the infections -- 457 of the 477 cases -- are concentrated in Brazil, with entities in government, public service, manufacturing, technology, education, and construction sectors impacted the most."
"The starting point of the attack is a phishing message sent from an already compromised contact on WhatsApp to lend it a veneer of credibility. The message contains a ZIP attachment that masquerades as a seemingly harmless receipt or health app-related file. That said, there is evidence to suggest that the operators behind the campaign have also used emails to distribute the ZIP files from seemingly legitimate email addresses."
SORVEPOTEL leverages WhatsApp to propagate across Windows systems through malicious ZIP attachments delivered via phishing messages from compromised contacts or seemingly legitimate emails. The attack requires recipients to open the attachment on desktop, indicating a focus on enterprises. When executed, a Windows shortcut (LNK) payload triggers automatic propagation through the WhatsApp desktop web client, leading infected accounts to be banned for spam. Most observed infections (457 of 477) are in Brazil and affect government, public service, manufacturing, technology, education, and construction organizations. There are no signs of data exfiltration or file encryption.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]