Trustwave SpiderLabs researchers have identified a sophisticated banking trojan called Eternidade Stealer that spreads through WhatsApp hijacking and social engineering tactics.
The malware, written in Delphi, represents a significant evolution in Brazil’s cybercriminal landscape, combining advanced contact harvesting with credential theft targeting financial institutions.
The threat emerges from a multi-stage infection chain that begins with an obfuscated VBScript sent via WhatsApp messages.
.webp "New Malware Via WhatsApp Exfiltrate Contacts to Attack Server and Deploys Malware 2")
When executed, the script downloads a batch file containing two primary payloads: a Python-based WhatsApp worm and an MSI installer that deploys the banking trojan.
This distribution method exploits the messaging platform’s trusted nature, making users more likely to interact with malicious attachments shared by contacts whose accounts have been compromised.
Trustwave security analysts noted that the malware demonstrates remarkable sophistication in targeting Brazilian victims specifically.
The trojan uses geolocation checks to verify the operating system language is Brazilian Portuguese before proceeding with infection.
If the system language doesn’t match, the malware displays an error message and terminates, preventing accidental infections outside its intended target region and avoiding sandbox detection.
The core functionality of Eternidade Stealer involves stealing entire WhatsApp contact lists through the obter_contatos() function, which executes JavaScript code using the WPP.contact.list() API.
The malware intelligently filters out groups, business contacts, and broadcast lists, focusing specifically on individual personal contacts more likely to fall victim to phishing messages.
Each stolen contact record includes the full WhatsApp ID, contact name, phone number, and whether the contact is saved.
.webp "New Malware Via WhatsApp Exfiltrate Contacts to Attack Server and Deploys Malware 4")
After collection, the malware immediately sends this data to the command-and-control server via HTTP POST requests without user interaction.
What makes Eternidade Stealer particularly dangerous is its dual-layer persistence mechanism. The trojan uses hardcoded credentials to connect via IMAP to an email account controlled by threat actors.
It extracts the command-and-control server address from email subjects and bodies, allowing attackers to update their infrastructure dynamically and maintain connections even if specific domains are seized.
The malware targets over 40 Brazilian financial institutions, payment services like MercadoPago, and cryptocurrency exchanges, including Binance and Coinbase.
When a victim accesses a targeted banking application, the trojan activates its overlay capability, displaying fake login screens designed to steal credentials seamlessly.
System reconnaissance capabilities collect information, including OS details, installed antivirus software, public and local IP addresses, and running processes.
This reconnaissance helps threat actors determine whether to proceed with credential theft or banking overlay deployment.
The investigation revealed that one threat actor’s infrastructure recorded 454 connection attempts globally, with significant traffic from the United States and European countries, suggesting broader attack ambitions beyond Brazil’s borders.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
