WhatsApp Worm Spreads Banking Trojan to Brazilian Crypto Users

TLDR

• A new WhatsApp worm is spreading in Brazil, delivering the Eternidade Stealer banking trojan.
• The malware targets cryptocurrency wallets and financial services by stealing user credentials.
• The worm uses IMAP to update its command-and-control server, dynamically evading detection.
• The worm extracts complete contact lists from WhatsApp to spread malicious files to victims’ contacts.
• The malware checks for Brazilian Portuguese settings before continuing its attack on local systems.

A new WhatsApp worm is circulating in Brazil, delivering the Eternidade Stealer banking trojan. The malware targets cryptocurrency wallets and financial services, stealing user credentials. The worm uses WhatsApp to spread, infecting devices through malicious files.

WhatsApp Worm Uses IMAP for C2 Updates

Researchers from Trustwave SpiderLabs discovered that the worm uses the Internet Message Access Protocol (IMAP) to fetch its command-and-control (C2) addresses. This allows the attackers to update their C2 server without disruption. Trustwave researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi detailed their findings in a blog post.

The worm starts with an obfuscated VBScript, primarily written in Portuguese. This script drops a Python-based worm that hijacks WhatsApp and distributes the malware. Using the wppconnect library, the worm extracts contact lists and customizes messages with personalized greetings.

A key feature of the malware is its ability to steal the entire WhatsApp contact list. It gathers phone numbers and names to identify victims’ devices. The stolen data is then sent to an attacker-controlled server for further exploitation.

Banking Trojan Targets Financial Applications

The second stage of the attack involves an MSI installer. This installer drops several components, including an AutoIt script. The script checks if the system’s language is set to Brazilian Portuguese before proceeding.

If the system passes the language check, the malware proceeds to profile the device. It scans running processes and registry keys for security tools. Once the device is profiled, it sends details back to the attackers’ C2 server.

Afterward, the Eternidade Stealer payload is injected into “svchost.exe” using a technique known as process hollowing. This allows the trojan to run undetected in legitimate processes. The malware targets financial services, specifically banks and cryptocurrency platforms in Brazil.

The malware constantly monitors active windows for keywords related to banking apps. It focuses on major Brazilian financial institutions and global fintech companies like Binance and Coinbase. When users open one of these applications, the malware triggers credential-stealing routines without detection.

Geofencing Limits Malware Spread Outside Brazil

Trustwave SpiderLabs also discovered that the malware employs geofencing to limit its reach. It blocks most connections outside Brazil and Argentina. Of 454 recorded attempts, only 2 connections reached the malicious domain.

The majority of blocked connections came from countries like the United States, the UK, and Germany. The attackers limited their targets to Brazilian WhatsApp users. Logs indicated that most failed connection attempts came from Windows systems, though some were from macOS, Linux, and Android.

The discovery of the Eternidade Stealer comes just weeks after another WhatsApp-based malware, SORVEPOTEL, was found spreading in Brazil. This latest attack further underscores the growing threat of WhatsApp worms targeting the financial services sector.

The post WhatsApp Worm Spreads Banking Trojan to Brazilian Crypto Users appeared first on CoinCentral.