Astaroth’s Boto Cor-de-Rosa campaign targets Brazil with new WhatsApp malware technique

MITRE Techniques

• [T1059.005 ] Command and Scripting Interpreter (Visual Basic) – The initial downloader is a VBS script that retrieves and executes further components. (‘the VBS script retrieves and executes two additional components — the core Astaroth banking payload and the Python-based WhatsApp spreader’)
• [T1105 ] Ingress Tool Transfer – The campaign downloads and installs multiple components (MSI, Python, zapbiu.py) to the victim system to continue the attack. (‘the VBS script retrieves and executes two additional components — the core Astaroth banking payload and the Python-based WhatsApp spreader’)
• [T1027 ] Obfuscated Files or Information – The VBS downloader is heavily obfuscated to hinder analysis and detection. (‘heavily obfuscated to hinder analysis’)
• [T1566.003 ] Phishing: Spearphishing via Service – The spreader sends malicious ZIP attachments over WhatsApp to contacts to induce execution and further propagation. (‘message on WhatsApp containing a malicious ZIP archive’)
• [T1041 ] Exfiltration Over C2 Channel – The WhatsApp spreader exfiltrates harvested contact lists to a remote server. (‘exfiltrates the victim’s contact list to a remote server’)
• [T1555.003 ] Credentials from Web Browsers – The banking module monitors browsing and activates credential‑stealing when banking-related URLs are visited. (‘When banking-related URLs are accessed, it activates credential‑stealing functionality’)
• [T1218 ] Signed Binary Proxy Execution – The MSI dropper includes a legitimate AutoIt interpreter which is used to run an encoded loader that decrypts and loads the main payload. (‘a legitimate AutoIt interpreter is bundled alongside an encoded loader, which dynamically decrypts and loads the main Astaroth payload from disk’)