Trustwave SpiderLabs researchers have recognized a complicated banking trojan referred to as Eternidade Stealer that spreads by means of WhatsApp hijacking and social engineering ways.
The malware, written in Delphi, represents a major evolution in Brazil’s cybercriminal panorama, combining superior contact harvesting with credential theft focusing on monetary establishments.
The risk emerges from a multi-stage an infection chain that begins with an obfuscated VBScript despatched by way of WhatsApp messages.
The message obtained by way of WhatsApp throughout the preparation of the present report (Supply – Trustwave)
When executed, the script downloads a batch file containing two major payloads: a Python-based WhatsApp worm and an MSI installer that deploys the banking trojan.
This distribution methodology exploits the messaging platform’s trusted nature, making customers extra prone to work together with malicious attachments shared by contacts whose accounts have been compromised.
Trustwave safety analysts famous that the malware demonstrates outstanding sophistication in focusing on Brazilian victims particularly.
The trojan makes use of geolocation checks to confirm the working system language is Brazilian Portuguese earlier than continuing with an infection.
If the system language doesn’t match, the malware shows an error message and terminates, stopping unintended infections outdoors its meant goal area and avoiding sandbox detection.
The core performance of Eternidade Stealer entails stealing whole WhatsApp contact lists by means of the obter_contatos() operate, which executes JavaScript code utilizing the WPP.contact.record() API.
The malware intelligently filters out teams, enterprise contacts, and broadcast lists, focusing particularly on particular person private contacts extra prone to fall sufferer to phishing messages.
Every stolen contact file consists of the total WhatsApp ID, contact identify, telephone quantity, and whether or not the contact is saved.
Eternidade Stealer’s assault chain (Supply – Trustwave)
After assortment, the malware instantly sends this knowledge to the command-and-control server by way of HTTP POST requests with out consumer interplay.
What makes Eternidade Stealer notably harmful is its dual-layer persistence mechanism. The trojan makes use of hardcoded credentials to attach by way of IMAP to an e-mail account managed by risk actors.
It extracts the command-and-control server deal with from e-mail topics and our bodies, permitting attackers to replace their infrastructure dynamically and preserve connections even when particular domains are seized.
The malware targets over 40 Brazilian monetary establishments, cost companies like MercadoPago, and cryptocurrency exchanges, together with Binance and Coinbase.
When a sufferer accesses a focused banking software, the trojan prompts its overlay functionality, displaying faux login screens designed to steal credentials seamlessly.
System reconnaissance capabilities accumulate data, together with OS particulars, put in antivirus software program, public and native IP addresses, and working processes.
This reconnaissance helps risk actors decide whether or not to proceed with credential theft or banking overlay deployment.
The investigation revealed that one risk actor’s infrastructure recorded 454 connection makes an attempt globally, with vital site visitors from the US and European nations, suggesting broader assault ambitions past Brazil’s borders.
Comply with us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most well-liked Supply in Google.
