Kaspersky Uncovers New Malware Campaign Abusing Compromised WhatsApp Accounts

Executive Summary

Researchers from Kaspersky's Global Research and Analysis Team (GReAT) have detailed a large-scale malware distribution campaign that leverages the trust inherent in the WhatsApp messaging platform. Threat actors are using previously compromised WhatsApp accounts to propagate malware by sending malicious VBScript files to the account's contacts. The files are socially engineered to look like legitimate business documents, increasing the likelihood of execution. The multi-stage infection process results in the attacker gaining remote access to the victim's computer. The campaign has a wide geographical distribution, with notable victim clusters in Malaysia, Brazil, Singapore, and across Europe.

Threat Overview

This campaign's effectiveness hinges on its social engineering component. By originating from a compromised account, the malicious message appears to come from a trusted friend, family member, or colleague. This bypasses the natural suspicion that accompanies messages from unknown senders.

The attackers send a Visual Basic Script (.vbs) file disguised with a name suggesting a business document, such as an invoice, receipt, or order confirmation. The filenames are localized into multiple languages, indicating a deliberate effort to target users in specific regions. When the recipient is tricked into opening the .vbs file, it initiates an infection chain.

Technical Analysis

The attack follows a multi-stage process designed to evade initial detection and establish a persistent foothold.

1. Initial Vector - Social Engineering: The attack begins with a message from a compromised WhatsApp account containing a malicious .vbs file. This is a form of T1566 - Phishing delivered via an instant messaging service.
2. User Execution: The victim must open the .vbs file. This action corresponds to T1204.002 - User Execution: Malicious File.
3. Execution and Staging: The VBScript, when executed by the Windows Script Host (wscript.exe), acts as a dropper or downloader. It connects to an external command-and-control (C2) server to download the next stage of the malware. This is an example of T1059.005 - Command and Scripting Interpreter: Visual Basic.
4. Payload Deployment: The downloaded payload is executed. The ultimate goal, according to Kaspersky, is to provide the attacker with remote access to the system.
5. Abuse of Legitimate Tools: The report notes that the final payload abuses standard administrative capabilities, likely referring to the use of legitimate remote access tools (like Remote Desktop Protocol or commercial RATs) or living-off-the-land binaries (LoLBins) to control the machine. This corresponds to T1219 - Remote Access Software.

Impact Assessment

A successful infection can lead to a variety of negative outcomes for the victim:

• Account Hijacking: The primary impact is the loss of control over the victim's own WhatsApp account, which is then used to perpetuate the attack, damaging their personal and professional relationships.
• Data Theft: With remote access to the computer, attackers can steal personal files, financial information, and login credentials for other services.
• Spying and Surveillance: Attackers can monitor the user's activity, capture keystrokes, and access their webcam and microphone.
• Further Malware Installation: The compromised machine can be used to install other types of malware, such as ransomware or cryptocurrency miners.

IOCs — Directly from Articles

No specific technical Indicators of Compromise (IOCs) such as C2 domains or file hashes were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams and advanced users can hunt for signs of this activity:

Detection & Response

1. Endpoint Protection: Ensure endpoint security solutions are configured to scan and analyze script files (.vbs, .js, .ps1). Enable script block logging for PowerShell.
2. Email/Message Filtering: While difficult for end-to-end encrypted platforms like WhatsApp, organizations should have policies and tools to filter malicious files sent over corporate email and other communication channels.
3. User Education: This is the most critical defense. Train users to be extremely cautious of unsolicited attachments, even from known contacts. Teach them to verify suspicious messages through a separate communication channel (e.g., a phone call).

D3FEND Techniques:

• File Analysis (D3-FA): Security tools analyzing the content of the .vbs file to identify malicious code patterns.
• Dynamic Analysis (D3-DA): Sandboxing the .vbs file to observe its behavior, such as network callbacks or file system changes.

Mitigation

1. Disable Windows Script Host: If not required for legitimate business purposes, consider disabling Windows Script Host (WSH) via Group Policy to prevent the execution of .vbs and .js files entirely.
2. Change File Associations: Change the default file association for .vbs files from wscript.exe to notepad.exe. This will cause the script to open as a text file instead of executing, allowing the user to inspect it safely.
3. WhatsApp Security: Enable security notifications in WhatsApp settings to be alerted when a contact's security code changes. Secure your own account with a strong PIN and two-step verification.
4. Verify, Then Trust: Cultivate a security culture where employees are encouraged to verify unexpected requests or files via a secondary channel before opening them.

D3FEND Techniques:

• Application Configuration Hardening (D3-ACH): This includes disabling or restricting script interpreters like WSH.