Cybercriminals focusing on Brazilian customers have aggressively escalated their techniques, launching a extremely subtle marketing campaign dubbed “Water Saci.”
This new wave of assaults weaponizes WhatsApp Internet, a platform implicitly trusted by tens of millions, to ship banking trojans and steal delicate monetary information.
By compromising consumer accounts, the attackers ship convincing messages to trusted contacts, making a speedy, self-propagating an infection loop that leverages social engineering to bypass conventional safety defenses successfully, impacting numerous unsuspecting people.
The an infection chain usually begins when customers obtain messages containing malicious attachments, corresponding to ZIP archives, PDF lures disguised as Adobe updates, or direct HTA recordsdata following particular naming patterns like A-{random}.hta.
A WhatsApp message luring consumer to open the ZIP file (Supply – Development Micro)
As soon as a sufferer opens these recordsdata, they execute a fancy multi-stage assault sequence involving Visible Primary scripts and MSI installers.
MSI Set up resulting in the banking trojan payload (Supply – Development Micro)
This course of stealthily downloads a banking trojan whereas concurrently deploying automation scripts designed to hijack the sufferer’s WhatsApp session for additional propagation, guaranteeing most attain.
Assault chain (Supply – Development Micro)
Development Micro safety analysts recognized that this marketing campaign marks a big shift in malware improvement, using synthetic intelligence to speed up its capabilities.
The attackers seem to have used Massive Language Fashions (LLMs) to translate and optimize their propagation code, transitioning from PowerShell to a extra strong Python-based infrastructure.
Strategic shift
This strategic shift considerably enhances their potential to unfold malware throughout totally different browsers, together with Chrome, Edge, and Firefox, making detection more and more troublesome for normal safety protocols and leaving customers susceptible.
A essential part of this technical evolution is the whatsz.py script, which replaces earlier PowerShell variants.
Evaluation reveals compelling proof of AI-assisted coding, corresponding to script headers explicitly stating “Versao Python Convertido de PowerShell”, and feedback like “model optimized with errors dealing with.”
Element recordsdata downloaded by instalar.bat and utilized by whatsz.py (Supply – Development Micro)
This script depends on part recordsdata like chromedriver.exe to automate the an infection course of, utilizing Selenium to inject the WA-JS library, extract contact lists, and ship malicious recordsdata in bulk to unsuspecting victims.
The Python code reveals a classy object-oriented construction with superior error dealing with, options usually absent in fast handbook ports.
Fundamental automation class with formatting definitions for various statuses (Supply – Development Micro)
As an example, the principle automation class defines clear formatting for varied statuses, guaranteeing dependable execution.
Moreover, the console output consists of colourful emojis, a trait not often seen in commonplace malware however widespread in AI-generated codebases.
This superior automation permits the malware to function autonomously, pausing and resuming duties to mix in with regular community site visitors whereas reporting progress to a command-and-control server, in the end guaranteeing persistent entry.
Comply with us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most popular Supply in Google.
