An ongoing malware campaign targets WhatsApp users across multiple countries with messages containing obfuscated VBScript files disguised as business documents, sent from compromised accounts of the victims' contacts. The malicious files use localized filenames suggesting financial reports, billing statements, and account notices to increase the likelihood of execution. When opened on Windows systems, the VBScript fetches additional scripts that disable User Account Control protections and silently install ManageEngine Endpoint Central, a legitimate remote administration tool configured to connect to attacker-controlled servers.
Kaspersky telemetry indicates the campaign spreads across Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia. The initial VBScript can be executed directly via Windows Script Host when delivered through the WhatsApp Desktop client or downloaded from WhatsApp Web. The method used to compromise the source accounts remains unknown, though researchers observed signs of Chinese language use and infrastructure overlaps with IPs previously linked to ValleyRAT and Gh0st RAT activity, though attribution remains inconclusive.
Once installed, ManageEngine Endpoint Central provides attackers with full remote administration access to the victim's computer. WhatsApp users are advised to treat files from contacts with caution, verify attachments through secondary communication, and scan all downloaded files with updated antivirus software. The campaign demonstrates how threat actors leverage trust relationships within messaging platforms to deliver payloads that abuse legitimate administrative tools for malicious purposes.
Read more...