WhatsApp Worm Targets Brazilian Banking Customers

MITRE Techniques

• [T1204] User Execution – Malicious LNK in a ZIP archive tricked recipients into launching the payload from WhatsApp Web messages: ‘the archive contained a malicious Windows LNK file that, when launched, initiated a series of malicious PowerShell commands.’
• [T1204.002] Malicious File – Shortcut – The LNK target field contained an obfuscated command that executed a Base64 PowerShell loader: ‘The target field of the LNK file contained an obfuscated Windows command that constructed and ran an initial Base64-encoded PowerShell command.’
• [T1059.001] PowerShell – Multi-stage PowerShell commands were used to download and execute next-stage payloads from C2: ‘first-stage PowerShell command covertly launched an Explorer process that downloaded the next-stage PowerShell command from a remote command and control (C2) server hosted on hxxps://www.zapgrande[.]com.’
• [T1105] Ingress Tool Transfer – Second-stage PowerShell downloaded additional tools/payloads (Selenium or Maverick) from C2 infrastructure: ‘Both payloads were delivered via the same C2 infrastructure and only to hosts that passed a set of anti-analysis checks.’
• [T1562.001] Impair Defenses – The PowerShell attempted to modify local security controls, including adding Defender exclusions and disabling UAC: ‘add an exclusion in Microsoft Defender’ and ‘disable UAC.’
• [T1059.007] JavaScript (via browser automation) – Selenium and ChromeDriver were used to control browser sessions and enable WhatsApp Web session hijacking and self-propagation: ‘the presence of the Selenium payload align[s] with … delivering … a Selenium instance with a matching ChromeDriver.’
• [T1086] PowerShell (execution) – Detection rules targeted suspicious PowerShell processes with Base64-encoded commands used in the attack chain: ‘Detects suspicious PowerShell process with command line with start of suspicious Base64 encoded commands.’