"The malware retrieves the victim's WhatsApp contact list and automatically sends malicious messages to each contact to further spread the infection,"
"While the core Astaroth payload remains written in Delphi and its installer relies on Visual Basic script, the newly added WhatsApp-based worm module is implemented entirely in Python, highlighting the threat actors' growing use of multi-language modular components."
Astaroth (Guildma) banking malware is being propagated via WhatsApp, with a worm module that harvests contacts and automatically messages them to expand infection. The campaign, codenamed Boto Cor-de-Rosa, combines a Delphi core payload and a Visual Basic script installer with a newly implemented Python-based WhatsApp propagation module, reflecting multi-language modular tooling. The campaign targets Brazil primarily, leveraging the platform's popularity. Related clusters in 2024 included PINEAPPLE and Water Makara using phishing, and other actors such as Water Saci and STAC3150 have been observed delivering archives with downloader scripts, PowerShell or Python stages, and MSI installers to deploy malware.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]