In a recent cyber threat campaign, WhatsApp users are being targeted with malicious Visual Basic Script (VBScript) files disguised as legitimate documents. This operation is aimed at installing genuine Remote Monitoring and Management (RMM) software on victims’ systems, raising alarms in the cybersecurity community.
Global Targeting of WhatsApp Users
According to Kaspersky’s findings, this campaign affects users of WhatsApp Desktop and Web in various countries, including Malaysia, Brazil, India, and others. The highest number of victims is reported in Malaysia. The attackers use deceptive file names that appear to be business or financial documents to trick recipients into downloading and running the files.
Security expert Fareed Radzi has noted that the VBScript initiates a multi-step infection process that ends with the installation of RMM software, granting remote access to the attackers. The exact method of how the attackers gain control over WhatsApp accounts remains uncertain.
Deceptive Techniques and Obfuscation
The VBScript files are heavily obfuscated, camouflaged as harmless documents with names like “Financial Reports.vbs” or “Account Statement.vbs.” These files also appear in multiple languages, showcasing the global reach of the threat. Kaspersky highlights that the scripts contain metadata mimicking legitimate Microsoft components, with notes in Chinese relating to system integrity and update functionalities.
Execution of the VBScript is done through “WScript.exe,” which then retrieves additional components for subsequent attack stages. The infection process varies slightly depending on whether the victim uses WhatsApp Web or Desktop, with distinct methods of execution and file handling in each scenario.
Potential Threats and User Precautions
The ultimate goal of the VBScript is to download further scripts aimed at altering Windows User Account Control (UAC) settings and deploying a ZIP file with the ManageEngine RMM Central installation package. While the attackers remain unidentified, Kaspersky has found infrastructure connections to previous Gh0st RAT and ValleyRAT activities.
Users are advised to exercise caution when receiving unexpected documents through WhatsApp, even those seemingly from known contacts. It’s crucial to verify the authenticity of file types such as VBS, EXE, and others before opening them to avoid potential security risks.
As this threat continues to evolve, maintaining vigilance and adopting robust cybersecurity practices are essential for protecting sensitive information and systems from unauthorized access.
