A new malware campaign targeting Brazilian users has emerged, using WhatsApp as its primary distribution channel to spread banking trojans and harvest sensitive information.
This sophisticated attack leverages social engineering by exploiting the trust victims place in their existing contacts, making the malicious files appear legitimate.
The campaign begins with phishing emails containing archived VBS scripts that employ advanced obfuscation techniques to evade detection by security software.
Once the initial payload runs, it downloads and installs Python and the Selenium WebDriver components, enabling automated interaction with WhatsApp Web.
The malware then injects malicious JavaScript code into the victim’s browser session, accessing WhatsApp’s internal APIs to enumerate contacts and distribute payloads.
This approach allows attackers to spread the infection without requiring QR code authentication by hijacking existing logged-in sessions by copying browser cookies and local storage data.
K7 Security Labs researchers identified this variant as part of the broader Water-Saci campaign, which has been actively targeting financial institutions across Brazil.
The attack chain deploys both a Python-based distribution script and a banking trojan that monitors for active Windows related to Brazilian banks and cryptocurrency wallets.
By combining automated messaging with memory-only payload execution, the malware remains undetected, mainly while compromising victim machines and their entire contact networks.
The campaign also delivers an MSI installer that drops an AutoIt script alongside encrypted payload files. This secondary component establishes persistence through registry modifications and continuously monitors the victim’s active windows for banking-related keywords.
.webp "Hackers Leveraging WhatsApp That Silently Harvest Logs and Contact Details 3")
When specific financial institutions or crypto wallet applications are detected, the malware decrypts and loads its banking trojan directly into memory, bypassing disk writes and making traditional file-based detection methods ineffective.
Technical Breakdown of the Infection Mechanism
The infection begins when victims receive phishing emails containing ZIP-archived VBS script files that use character encoding and XOR encryption to evade signature-based detection.
The script employs a multi-layered obfuscation strategy, building strings character by character using Chr() functions and then applying XOR operations with specific values to decode the actual malicious commands.
objyAQeaOCCI = objyAQeaOCCI & Chr(49)
objyAQea0cCI = objyAQeaOCCI & Chr(55)
objyAQea0cCI = objyAQeaOCCI & Chr(57)
For Each varcBAIRFO In Split(strSwQRHTeBd, aOwTbJaE)
objhiCebPk = (objhiCebPk (26 Xor 93)) Mod 256
objhiCebPk = (objhiCebPk (150 Xor 104)) Mod 256
.webp "Hackers Leveraging WhatsApp That Silently Harvest Logs and Contact Details 4")
After deobfuscation, the script downloads two components: an MSI file and another VBS file. The downloaded VBS file contains identical obfuscation patterns and drops a batch script that installs the Python, ChromeDriver, and Selenium packages.
This automated setup creates the infrastructure needed for WhatsApp automation without requiring manual user intervention.
The Python script, named whats.py, takes control of the victim’s WhatsApp Web session by copying browser profile data, including cookies, local storage, and IndexedDB files, to a temporary directory.
Using Selenium’s user-data-dir argument, the script launches Chrome with these copied credentials, effectively bypassing the QR code authentication step that would usually protect WhatsApp Web access.
arquivos_copiar = [
“Cookies”, “Cookies-journal”,
“Local Storage”, “Session Storage”,
“IndexedDB”, “Service Worker”
]
options.add_argument(f”–user-data-dir={perfil_temp}”)
.webp "Hackers Leveraging WhatsApp That Silently Harvest Logs and Contact Details 5")
Once authenticated, the malware injects helper JavaScript from GitHub into the WhatsApp Web page context, enabling access to internal API functions like WPP.contact.list, WPP.chat.sendTextMessage, and WPP.chat.sendFileMessage.
The script then harvests the victim’s contact list, filtering out groups, business accounts, and contacts with specific number patterns configured by the attackers.
These harvested contacts are batched and systematically sent malicious ZIP files containing the next stage of the infection, perpetuating the campaign across victim networks while sending detailed logs back to the attacker’s PHP server.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
