Widespread WhatsApp Campaign Leverages Compromised Accounts to Distribute VBScript Dropper, Installs ManageEngine RMM for Persistent Access

Executive Summary

Security researchers at Kaspersky have uncovered an ongoing malware campaign exploiting the trust inherent in WhatsApp communications. Threat actors are using compromised WhatsApp accounts to send malicious VBScript attachments to victims' contacts. The scripts are disguised as legitimate documents to trick users into executing them. The ultimate goal of the attack is to install a legitimate Remote Monitoring and Management (RMM) tool, ManageEngine Endpoint Central, on the victim's computer. This "living off the land" technique provides the attackers with persistent, legitimate-looking remote access for data theft, surveillance, or deploying further malware. The campaign is active across at least 11 countries, with a significant concentration of victims in Malaysia.

Threat Overview

The attack chain leverages social engineering and abuses a legitimate enterprise tool:

1. Initial Compromise: The campaign originates from WhatsApp accounts that have already been compromised through an unknown method. This allows the attackers to leverage the victim's trusted social circle.
2. Distribution: The compromised account sends a message, often without any text, containing a malicious VBScript (.vbs) file to multiple contacts. The file is given a deceptive name (e.g., invoice.vbs, report.vbs) to appear as a business document.
3. Execution: The recipient, trusting the sender, downloads and executes the VBScript file on their computer, likely through WhatsApp Desktop or WhatsApp Web.
4. Infection Chain: The VBScript acts as a dropper, initiating a multi-stage process to download and install its final payload.
5. Payload Deployment: The script stealthily installs and configures an agent for ManageEngine Endpoint Central, a legitimate and powerful IT administration tool.
6. Persistent Access: The RMM agent connects to the attacker's control server, granting them full remote access to the compromised system.

Technical Analysis

This campaign relies on a combination of social engineering and the abuse of legitimate software.

• Phishing (T1566.001 - Spearphishing Attachment): The attack is a form of spearphishing, using the compromised account of a trusted contact to deliver the malicious payload.
• User Execution (T1204.002 - Malicious File): The success of the attack hinges on the user being tricked into executing the .vbs file.
• Command and Scripting Interpreter (T1059.005 - Visual Basic): The attackers use VBScript, a native Windows scripting language, to initiate the infection. This avoids the need to drop an executable file initially, which might be flagged by antivirus software.
• Ingress Tool Transfer (T1105 - Ingress Tool Transfer): The VBScript dropper downloads the main RMM installer from an external source.
• Remote Services: Remote Access Software (T1219 - Remote Access Software): This is the core of the attack. By using a legitimate, signed RMM tool like ManageEngine Endpoint Central, the attackers' activity can blend in with normal administrative traffic, making it difficult for security tools to detect.

Impact Assessment

Once the RMM tool is installed, the attackers have near-total control over the victim's computer. They can silently monitor user activity, access files, steal credentials, install further malware (like ransomware or spyware), and use the compromised machine as a pivot point to attack other systems on the same network. For a corporate user, this could lead to a full-scale enterprise breach originating from a single employee's compromised WhatsApp account. The use of a legitimate RMM tool complicates detection and attribution, as the network traffic generated by the tool is encrypted and appears legitimate to firewalls and other network security appliances.

IOCs — Directly from Articles

No specific file hashes, domains, or IP addresses were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams can hunt for signs of this activity within their environments. The following patterns could indicate related activity:

Detection & Response

1. Block VBScript Execution: Use Group Policy or application control solutions to block the execution of .vbs files by default, or at least to prompt users with a stern warning before they are run. This aligns with D3FEND's D3-EDL - Executable Denylisting.
2. Monitor for RMM Tools: Use EDR or asset inventory systems to maintain a list of all installed software. Generate alerts for any installations of RMM tools (e.g., ManageEngine, TeamViewer, AnyDesk) that are not on the corporate-approved list.
3. Process Monitoring: Configure EDR to alert when wscript.exe or cscript.exe initiates network connections or downloads executable files. Use D3FEND's D3-PA - Process Analysis to detect these suspicious process chains.

Mitigation

1. User Education: This attack is heavily reliant on social engineering. Train users to be suspicious of any unsolicited attachments, even from known contacts. Emphasize that they should verify unexpected files through a separate communication channel before opening them. (M1017 - User Training).
2. Application Control: Implement application control policies to prevent unauthorized software, including unapproved RMM tools, from being installed or executed. (M1042 - Disable or Remove Feature or Program).
3. Email and Web Gateway Filtering: While this attack uses WhatsApp, the principle of filtering applies. Ensure web gateways can inspect files downloaded from WhatsApp Web and block potentially malicious script files.
4. WhatsApp Security: Advise users to enable security features within WhatsApp, such as two-step verification and security notifications, to make account takeover more difficult.