DIGITAL LIFE
WhatsApp account hijacking spreads malware globally
A new global cybercrime campaign detected in June 2026 is using WhatsApp account hijacking to spread malicious VBScript files among trusted contacts. The threat affects users of WhatsApp Desktop and WhatsApp Web across multiple continents, with an increasing focus on the European market through the use of multiple languages, including Portuguese. By taking control of legitimate profiles, attackers bypass standard defenses that rely on user skepticism, facilitating the installation of remote monitoring and management software to gain full control over affected systems.
Attackers use previously compromised legitimate profiles to send messages containing malicious attachments to existing contacts on the platform. This approach maximizes the likelihood that the victim will open the document, as the message appears to come from a colleague or friend.
Kaspersky’s Global Research and Analysis Team (GReAT) identified the operation and confirmed that the primary objective is to compromise Windows operating systems using legitimate administrative tools configured for malicious purposes.
Initial geographic distribution revealed a high volume of infections in Asian countries—with Malaysia leading the number of recorded cases, followed by Singapore, Taiwan, and Vietnam—as well as in Brazil. However, the inclusion of metadata and scripts translated into French, German, English, and Portuguese confirms that Europe is one of the criminal group's strategic targets. The files are disguised as invoices, payment receipts, bank statements, and debt notifications to encourage users in corporate environments to open them.
The code underlying this threat hides within structured comments and metadata that mimic official Microsoft operating system components. Once activated by the user, the file executes a sequence of encoded commands via Windows Script Host, running in the background without triggering visible alerts. The initial script creates a temporary directory at the local path `C:\Users\Public\Documents` to download additional payloads from external command-and-control servers.
Fareed Radzi, a security researcher on Kaspersky’s GReAT team, explains the sophistication of the social engineering employed in this campaign.
In this campaign, attackers exploit the trust inherent in messaging platforms by using compromised WhatsApp accounts to send malicious attachments that appear to originate from known contacts, making recipients far more likely to interact with them. File names are carefully disguised as routine business documents—such as invoices and payment notices—and localized into multiple languages to support a broad dissemination strategy. Once opened, they trigger a multi-stage infection chain that silently downloads and executes additional malicious components from external infrastructure.
The final phase of the attack involves the silent installation of a remote monitoring and management software package. While legitimate in corporate technical support contexts, this application grants attackers full administrative privileges, enabling the exfiltration of sensitive data, credential monitoring, and the potential introduction of ransomware into the company's internal network.
Protection against social engineering attacks requires a combination of strict filtering policies and identity validation outside the messaging platform itself. System administrators should implement local rules to prevent script execution on work computers.
Key mitigation guidelines include:
-Restricting extensions: Block the direct execution of files with .vbs, .vbe, .exe, .bat, .cmd, .js, and .ps1 extensions from public user folders.
-Software Restriction Policies (SRP): Configure Windows AppLocker or Group Policies to prevent WhatsApp Desktop from launching unauthorized subprocesses.
-Out-of-band validation: Verify the legitimacy of any invoice or document received via chat platforms through a phone call or corporate email. Network monitoring: Implement detection systems that identify unusual connections from local computers to uncatalogued external servers.
mundophone
No comments:
Post a Comment