A sophisticated new malware, dubbed 'Maverick,' is spreading rapidly through WhatsApp in Brazil, posing a significant threat to the country's largest banks. This malicious software is designed to hijack browser sessions and steal sensitive banking credentials from unsuspecting users. The campaign leverages the popularity of WhatsApp in Brazil, with millions of active users, to distribute the malware through deceptive messages and infected files.

Key Takeaways

• Widespread Distribution: Maverick is spreading via WhatsApp, targeting Brazilian users and financial institutions.

• Session Hijacking: The malware hijacks browser sessions to steal banking credentials.

• Evolution of Threats: Maverick shows similarities to previous banking trojans like Coyote, indicating an evolving cybercriminal landscape.

• Advanced Evasion: The malware employs sophisticated techniques to evade detection and disable security measures.

The Maverick Malware Campaign

Cybersecurity researchers have identified a new threat actor, known as 'Water Saci,' behind the Maverick campaign. The malware is distributed through ZIP archives containing a malicious LNK file, which is sent via WhatsApp messages. These messages often instruct users to open the file on a computer, bypassing mobile security. Once executed, the LNK file initiates a multi-stage PowerShell infection chain designed to disable security features like Microsoft Defender and User Account Control (UAC).

How Maverick Operates

After disabling security measures, the malware downloads the core Maverick payload. A key characteristic of Maverick is its ability to verify if the infected system is located in Brazil by checking the time zone, language, region, and date/time format. If the system is not in Brazil, the malware will not install, indicating a highly targeted attack. The malware then monitors active browser tabs for URLs matching a list of Brazilian financial institutions. Upon detecting a match, it establishes contact with a remote server to fetch further commands, which can include gathering system information, serving phishing pages, and stealing credentials.

Similarities to Coyote and Evolving Tactics

Security firms like Sophos and Kaspersky have noted significant code overlaps between Maverick and a previous banking trojan called Coyote, which also targeted Brazilian users. While some treat Maverick as an evolution of Coyote, others consider it a distinct, new threat. This evolution highlights a shift in cybercriminal tactics, moving from traditional phishing to exploiting trusted communication platforms and browser profiles for stealthier, more scalable attacks. The malware also uses advanced techniques, including AI in its code-writing process for tasks like certificate decryption.

Expanding Targets and Advanced Infrastructure

While initially focused on banking, there is evidence that Maverick's targeting may be expanding to other sectors, such as the hospitality industry, to steal customer financial and booking data. The campaign utilizes a sophisticated command-and-control (C2) system that, in some instances, relies on email servers rather than traditional hosted servers, making detection more challenging. This advanced infrastructure allows threat actors to remotely manage infected machines in real-time.

Brazil as a Prime Target

With over 148 million active WhatsApp users, Brazil represents a significant market for cybercriminals. The widespread adoption of WhatsApp as a primary communication tool makes it an ideal vector for malware distribution. The self-propagating nature of Maverick, which sends malicious files to the victim's contacts, amplifies its reach exponentially, leveraging social trust to bypass user caution.

Sources

• WhatsApp Malware 'Maverick' Hijacks Browser Sessions to Target Brazil's Biggest Banks, The Hacker News.

• New ‘Maverick’ Malware Targets Brazilian Banks via WhatsApp — Experts Warn of Rising Cyber Threat, The420.in.

• WhatsApp Worm Targets Brazilian Banking Customers – Sophos News, Sophos News.

• Maverick: a new banking trojan abusing WhatsApp in a massive scale distribution, Securelist.

• WhatsApp Worm Targets Users with Banking Malware, Steals Login Information, GBHackers News.