SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp

MITRE Techniques

• [T1059] Command and Scripting Interpreter – VBA/VBScript and Python are used as initial stages and propagation scripts (“obfuscated VBScript… drops a batch file that downloads and executes payloads” and a “1,300+ line piece of Python script (whats.py) designed to automate WhatsApp messaging”).
• [T1190] Exploit Public-Facing Application – Abuse of WhatsApp Web APIs and wppconnect-w.js (“uses ‘WPP.contact.list()’… downloads this library from GitHub to gain programmatic access to WhatsApp”).
• [T1105] Ingress Tool Transfer – Downloader behavior in dropper that fetches payloads from C2 domains (“The payloads are downloaded from the threat actor’s C2”).
• [T1566] Phishing – Social engineering via personalized WhatsApp messages with time‑aware greetings and contact name insertion to distribute malicious files (“message template… greeting automatically adjusts based on the time of day… uses the contact’s actual name”).
• [T1071] Application Layer Protocol – C2 retrieval and communications via IMAP over SSL and HTTP POST for exfiltration (“Connect to the IMAP server via SSL (Port 993) using hardcoded credentials” and “sends collected system information via POST method to its C2”).
• [T1027] Obfuscated Files or Information – Encrypted strings and custom decryption routines to hinder analysis (“multiple encrypted strings used for C2 communications… decryption routine uses a hardcoded key ‘edit1’ and salt ‘MeuSaltPessoal#2024′”).
• [T1055] Process Injection – Process hollowing injector loads decrypted payload into svchost.exe (“injector performs process hollowing to run the final payload” into svchost.exe).
• [T1083] File and Directory Discovery – Scanning for .tda and .dmp files and enumerating installation folder to load operator files (“malware searches for .tda or .dmp files in the installation folder”).
• [T1496] Resource Hijacking / Abuse – Use of victim WhatsApp sessions and stolen contacts to propagate and expand victim pool (“obter_contatos()… allows the malware to steal victims’ entire WhatsApp contact lists” and “sends a message to all contacts… along with a personalized greeting, a malicious file”).
• [T1113] Screen Capture – Commands to take captures and send them to C2 (“other commands observed are: activating keylogging features, sending captures or files”).
• [T1204] User Execution – Relies on social engineering to have victims execute MSI or script attachments delivered via WhatsApp (“malicious file from the C2… sends a message… with a malicious file”).