A sophisticated new cyberattack campaign, codenamed "Boto Cor-de-Rosa," is leveraging WhatsApp to distribute the potent Astaroth banking trojan across Brazil. This evolving threat uses a worm-like mechanism to spread rapidly through contact lists, targeting users for financial data theft. The campaign highlights the increasing use of multi-language components and social engineering tactics by cybercriminals.

Key Takeaways

• A new WhatsApp worm is spreading the Astaroth banking trojan in Brazil.

• The malware harvests contact lists to auto-send malicious ZIP files to contacts.

• Astaroth targets financial credentials through sophisticated monitoring and credential-stealing modules.

• The campaign utilizes Python for the worm module and Delphi for the core payload, showcasing modular development.

• Attackers employ localized messages and time-based greetings to enhance social engineering effectiveness.

The Astaroth Threat

Astaroth, also known as Guildma, has been active since 2015, primarily targeting Latin American users, especially in Brazil, for data theft. Previous campaigns have utilized phishing emails. However, this latest iteration marks a significant shift by exploiting the widespread use of WhatsApp as a primary distribution vector.

Attack Chain and Propagation

The attack begins when a victim receives a WhatsApp message containing a malicious ZIP archive. Upon opening the archive, a Visual Basic Script (VBS) disguised as a benign file is executed. This script downloads and installs the Astaroth banking trojan and a Python-based propagation module.

The propagation module is designed to harvest the victim's WhatsApp contacts and automatically send them a new malicious ZIP file, creating a self-sustaining, worm-like spread. This module is implemented entirely in Python, demonstrating the threat actors' growing use of multi-language components.

Banking Module and Data Theft

Simultaneously, the banking module operates silently in the background. It continuously monitors the victim's web browsing activity. When banking-related URLs are accessed, this module activates its credential-stealing functionality, aiming to gain unauthorized access to financial accounts and facilitate fraud.

Social Engineering Tactics

Cybercriminals behind this campaign are employing sophisticated social engineering tactics. The WhatsApp messages are crafted in casual, familiar Portuguese, often including time-appropriate greetings like "Good morning," "Good afternoon," or "Good evening." The messages typically state something like, "Here is the requested file. If you have any questions, I'm available!" This approach aims to mimic legitimate conversations and increase the likelihood of recipients opening the malicious attachment.

Campaign Victimology and Evolution

While the campaign is heavily focused on Brazil, with over 95% of impacted devices located there, some infections have been observed in the U.S. and Austria. The malware also includes a built-in mechanism to track and report propagation metrics in real-time, logging statistics such as successful deliveries and sending rates. This continuous evolution, blending technical innovation with psychological manipulation, underscores a concerning trend in banking malware development.

Sources

• WhatsApp Worm Spreads Astaroth Banking Trojan Across Brazil via Contact Auto-Messaging, The Hacker News.

• Astaroth banking Trojan spreads in Brazil via WhatsApp worm, Security Affairs.

• WhatsApp compromise leads to Astaroth deployment, Secureworks.

• Astaroth banking malware returns with WhatsApp-based worm targeting Brazil, SiliconANGLE.

• Astaroth Banking Trojan Targets Brazilians via WhatsApp Messages – Hackread – Cybersecurity News, DataBreaches, AI, and More, Hackread.