This Boss Scam campaign abuses WhatsApp Web trust by delivering ZIP archives that hide a signed executable and a malicious DLL, enabling DLL sideloading, persistence, session theft, and data exfiltration. The attackers target executives and trusted employees to hijack WhatsApp Web sessions, spread fraudulent messages inside organizations, and steal browser artifacts such as cookies, tokens, and encryption keys. #I4C #WhatsAppWeb #ReserveBankofIndia #Tarexe #libfabricdll
Keypoints
- Attackers use Boss Scam, a BEC/CEO fraud variant, to impersonate trusted contacts over email and WhatsApp.
- The initial lure is usually a ZIP attachment or download link pretending to come from the Reserve Bank of India, the Tax Department, or another trusted sender.
- The ZIP contains a legitimate signed executable and a malicious DLL; the executable is abused to sideload the DLL.
- The malware creates a mutex, may use Dynamic API Resolution, and adds Registry Run entries for persistence.
- It searches for active WhatsApp Web sessions in Chrome and Edge, then steals browser artifacts such as cookies, tokens, and encryption material.
- Stolen data is archived with tar.exe and sent to the attacker over TCP, enabling session hijacking and further impersonation.
- Compromised accounts can be used to spread fraudulent messages internally and may expose credentials, autofill data, and payment information.
MITRE Techniques
- [T1218 ] System Binary Proxy Execution – The malware abuses a trusted Windows utility to stage or move stolen data, reducing suspicion and helping evade security tools (‘the malware abuses this built-in Windows utility as a Living-off-the-Land Binary (LOLBin)’).
- [T1574.002 ] DLL Side-Loading – A legitimate signed executable is used to load a malicious DLL from the current directory (‘Windows automatically loads the DLL located in the application’s current directory’).
- [T1547.001 ] Registry Run Keys / Startup Folder – Persistence is achieved by creating Run entries so the malware starts at logon (‘The malware also creates Registry Run entries to achieve persistence’).
- [T1114.001 ] Local Email Collection – The article describes impersonation and message-based propagation through trusted communication channels, but no direct email collection is shown; not applicable as a primary technique.
- [T1027 ] Obfuscated Files or Information – The payload is concealed inside a ZIP archive with misleading filenames to appear legitimate (‘the zip file contains two files in it’ and names like “Read.exe”, “View.exe”, “Click to Open.exe”).
- [T1056.001 ] Keylogging – Not mentioned explicitly; the closest behavior is session theft and token theft, not keylogging.
- [T1113 ] Screen Capture – Some variants take screenshots and send them to the attacker (‘the malware takes Screenshots of the entire screen and sends it to the attacker frequently’).
- [T1213 ] Data from Information Repositories – Browser files such as Cookies, IndexedDB, Login Data, and Web Data are collected for abuse (‘collects browser session artifacts, including authentication tokens, cookies, encryption material’).
- [T1566.001 ] Phishing: Spearphishing Attachment – The attack begins with suspicious messages carrying ZIP attachments (‘sends an Email or a WhatsApp Message, with a zip attachment’).
- [T1566.002 ] Phishing: Spearphishing Link – Some lures use a clickable URL to download the ZIP file (‘or a clickable URL that downloads the zip attachment’).
- [T1074 ] Data Staged – Stolen browser data is archived into a ZIP file before exfiltration (‘The collected data is archived using “tar.exe”’).
- [T1041 ] Exfiltration Over C2 Channel – The archived data is transmitted to the attacker over a TCP connection (‘it is transmitted to the attacker over a TCP connection’).
- [T1021 ] Remote Services – The objective is to hijack an authenticated WhatsApp Web session for remote use of the victim’s account (‘restore or hijack an authenticated WhatsApp Web session’).
- [T1189 ] Drive-by Compromise – Not directly described; the initial delivery is through social engineering, not drive-by.
- [T1055 ] Process Injection – Not described in the article.
- [T1082 ] System Information Discovery – The malware performs user/reconnaissance-related collection, including browser artifacts and active session discovery (‘User reconnaissance etc.’).
Indicators of Compromise
- [URL ] malicious attachment delivery – hxxps://zusyyredrs[.]love/
- [File name ] dropped malicious component – libfabric.dll
- [File name ] disguised executable examples – Read.exe, View.exe, Click to Open.exe
- [File path ] staging/persistence locations – %AppData%, %ProgramData%
- [File path ] browser data locations – C:UsersAppDataLocalMicrosoftEdgeBackup_12248, C:UsersAppDataLocalMicrosoftEdgeEdge_9821bea4d01b4ae4c6626ad474d55194.zip
- [Command line ] archival activity – C:WindowsSystem32tar.exe -caf … –exclude=”Cache” –exclude=”Safe Browsing” –exclude=”Ad Blocking” -C …
- [Hash ] malicious DLL hashes – 91C8497847FF6AAFE365AE731E76F031, AAEFAA9844410991BDDAE304B93673C6
- [Detection name ] vendor detection labels – Trojan ( 0001140e1 )
Read more: https://labs.k7computing.com/index.php/boss-scam-dont-trust-every-urgent-message-from-your-boss/