A malware campaign is abusing compromised WhatsApp accounts to send obfuscated VBScript files disguised as business and financial documents across multiple countries. When opened, the files trigger an infection chain that installs ManageEngine Endpoint Central for remote access, with Kaspersky noting possible links to ValleyRAT and Gh0st RAT infrastructure. #WhatsApp #ManageEngineEndpointCentral #ValleyRAT #Gh0stRAT
Keypoints
- Compromised WhatsApp accounts are sending malicious VBScript attachments to contacts.
- The files are disguised as invoices, account notices, and financial reports.
- The campaign has been observed in Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia.
- Opening the VBS file launches additional scripts that disable UAC protections and download a ZIP archive.
- The attack installs ManageEngine Endpoint Central and gives attackers remote administration access.