A new wave of attacks is turning trusted WhatsApp messages into malware delivery traps for Windows users.
On Mar. 31, reports highlighted an ongoing malware campaign targeting Windows users via WhatsApp messages. Exploiting the familiar trust in WhatsApp, the attackers can deliver malicious scripts to users’ PCs that trigger a chain of malicious activities when clicked.
By burrowing deep into the system and renaming malicious files to something familiar, this malware can establish a backdoor and communicate with external malicious sites, according to Microsoft researchers.
A new wave of attacks is turning trusted WhatsApp messages into malware delivery traps for Windows users.
On Mar. 31, reports highlighted an ongoing malware campaign targeting Windows users via WhatsApp messages. Exploiting the familiar trust in WhatsApp, the attackers can deliver malicious scripts to users’ PCs that trigger a chain of malicious activities when clicked.
By burrowing deep into the system and renaming malicious files to something familiar, this malware can establish a backdoor and communicate with external malicious sites, according to Microsoft researchers.
An exploitation of trust
A notable number of Windows users use WhatsApp on their computers, either as a desktop app or the web app. Because either version can open Windows-specific attachments, the attackers saw an opportunity to exploit both the platform’s trust and its ability to run on the most widely used desktop OS.
According to security researchers, this wave of attacks began in late February and uses a malicious Visual Basic Script (VBS) attachment. Clicking on the VBS script immediately executes it, triggering a chain of activities that ultimately result in difficult-to-detect malware.
Persistence through stealth
Analysis of similar attack chains shows that, upon delivery via WhatsApp, it creates hidden folders within the computer’s C:\ProgramData directory and attempts to rename itself to legitimate Windows files. Commonly observed techniques include renaming files to resemble legitimate system components such as assc.exe and netapi.dll.
By doing so, the attackers ensure that the scripts remain undetected by both humans and Microsoft Defender, which further attempts to detect them.
However, Microsoft Defender and many security tools employed by organizations on their employees’ computers do check file metadata, and this metadata always reveals the original file names, even if they are renamed.
Although not all environments monitor for file name mismatch, some detect malicious activities by observing network requests to unusual platforms. The attackers understand this; hence, they try to further fool whatever defenses are on their victims’ computers by blending their next activity into routine Windows downloader activity.
Researchers have also observed that such scripts may retrieve payloads from trusted cloud platforms like AWS S3 buckets, Tencent Cloud, and Backblaze B2. Even after downloading malicious payloads, sending these download requests to legitimate cloud platforms further complicates flagging the behavior as malicious.
Persistence through defense weakening
Many malware don’t survive system reboots. In the case of this malicious script, it may attempt several techniques to survive a system reboot and gain elevated privileges, including:
- Attempts to bypass User Account Control (UAC), which requires user approval for admin-level actions, by repeatedly triggering or dismissing prompts until successful.
- Executes a command prompt script that modifies Windows registry settings to weaken system protections.
- Suppresses future UAC prompts using built-in Windows features, enabling faster, less visible execution of actions.
- Alters system settings to maintain persistence, enabling the malware to survive reboots and relaunch after being stopped.
By degrading its victim’s system security, it ultimately installs illegitimate, unsigned Microsoft Installers. With these installers, attackers can gain complete remote control of their victims’ devices, install backdoors, steal data, or even use these compromised devices to expand the scope of their attacks.
What you can do to protect yourself and your organization
Microsoft recommends that Windows users and IT teams implement the following:
- Keep an eye out for social engineering: This is the first mode of entry. Solving this problem removes virtually all risk from this exact attack, which violates trust — a trait of social engineering.
- Improve endpoint controls and network monitoring: A large portion of this attack’s success depends on security gaps in these areas. Many recent threat actor activities involve the misuse of trust, which, in this case, is used to fool both users and system controls. The principle of zero trust must apply not just to perimeter monitoring but also inside the system itself.
- Check for signs of key modifications: Highly sensitive settings, such as UAC and registry keys, should be constantly monitored for unusual changes.
- Constantly black-list C2 servers: Continuously scanning for and blocking C2 servers using active threat intelligence can help prevent the malware from reaching maturity stage.
- Enable tamper protection: Tamper protection helps prevent attackers, and sometimes, the user, from turning off key services meant for system protection.
In a world where trust has become a potent weapon of attack, threat actors no longer try to poke holes in unwanted places, but walk right through the door, unseen. To that end, readers are advised to up their security game and always do the one thing that worked best — keeping an eye out for social engineering, no matter the level of trust.
Stay updated: Microsoft recently pulled a Windows 11 update due to installation errors. Here’s what went wrong and what it means for users.
