Brazilian Campaign: Spreading the Malware via WhatsApp

MITRE Techniques

• [T1566] Phishing – Delivered initial malicious ZIP with an archived VBS script via email: “…starts with a Phishing email with a ZIP archived malicious VBS script file.”
• [T1027] Obfuscated Files or Information – VBS and other scripts use charcode and XOR encoding to evade signature detections: “…leverages charcode and XOR encoding techniques to evade the Sign based detections.”
• [T1105] Ingress Tool Transfer – Scripts download MSI, VBS, Python components, ChromeDriver, and payloads from remote URLs: “…the script contains 2 functionalities, downloading a MSI file and a VBS file and executing them.”
• [T1176] Browser Extensions – Abuse of browser session and in-page APIs (WhatsApp Web) via injected helper JavaScript to interact with web app internals: “…inject a malicious JS code in WhatsApp Web… uses WhatsApp web internal APIs… helper JS file from Github.”
• [T1056] Input Capture (Web Session Hijacking) – Copies browser session artifacts (Cookies, Local Storage, IndexedDB) and launches Chrome with user-data-dir to reuse logged-in WhatsApp session: “…inspects standard profile folders… Artifacts are copied to a temporary folder… launch the browser with the victim’s past whatsapp web session, to avoid the need of QR-scan authentication.”
• [T1204] User Execution – Spam messages sent from trusted contacts entice recipients to open the payload delivered via WhatsApp: “…the malicious file is sent by someone already in our contacts… reduces our caution and increases the chances of the malware being opened and executed.”
• [T1564] Hide Artifacts – Transfers payload as Base64-encoded string into browser memory and sends as in-memory Blob to avoid writing files to disk: “…a Base64-encoded String is stored… transfers the binary data as text to the browser memory without touching the victim’s disk…”
• [T1086] PowerShell (analogous scripting) / [T1059] Command and Scripting Interpreter – Use of VBS, BAT, Python, AutoIt scripts to orchestrate stages and persistence: “…drops a .bat script which downloads and installs Python.zip, ChromeDriver.exe and PIP… executes a Python script whats.py.”
• [T1547] Boot or Logon Autostart Execution – Registers dropped VBS under the Run registry entry for persistence: “The script registers dropped VBS under run entry in registry for persistence.”
• [T1486] Data Encrypted for Impact (not for ransom but in-memory packing) – Payloads compressed/encrypted (.tda/.dmp) and decrypted in-memory before decompression and reflective loading: “…a compressed and encrypted payload in .tda and .dmp file format… reads it, decrypts it, decompresses it all in memory.”
• [T1218] Signed Binary Proxy Execution – Use of svchost injection and reflective loading to execute payloads in memory and evade disk-based detection: “…the loader calls VirtualAlloc… copies sections, applying relocations… loader calls VirtualProtect… injected PE then injects itself into SVCHOST…”
• [T1071] Application Layer Protocol – Exfiltration and C2 communications via HTTP POSTs to PHP server and IMAP over TCP: “…harvested contacts and successful payload send-result logs are typically POSTed back to the attacker’s PHP server… Connects back to server… using IMAP over TCP connection.”