Brazilian users have emerged as the target of a new self-propagating malware dubbed SORVEPOTEL that spreads via the popular messaging app WhatsApp.
The campaign, codenamed Water Saci by Trend Micro, weaponizes the trust with the platform to extend its reach across Windows systems, adding the attack is “engineered for speed and propagation” rather than data theft or ransomware.
“SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments,” researchers Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, Cj Arsley Mateo, Jacob Santos, and Paul John Bardon said.
“Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers.”
Once the attachment is opened, the malware automatically propagates via the desktop web version of WhatsApp, ultimately causing the infected accounts to be banned for engaging in excessive spam. There are no indications that the threat actors have leveraged the access to exfiltrate data or encrypt files.
The vast majority of the infections — 457 of the 477 cases — are concentrated in Brazil, with entities in government, public service, manufacturing, technology, education, and construction sectors impacted the most.
The starting point of the attack is a phishing message sent from an already compromised contact on WhatsApp to lend it a veneer of credibility. The message contains a ZIP attachment that masquerades as a seemingly harmless receipt or health app-related file.
That said, there is evidence to suggest that the operators behind the campaign have also used emails to distribute the ZIP files from seemingly legitimate email addresses.
Should the recipient fall for the trick and open the attachment, they are lured into opening a Windows shortcut (LNK) file that, when launched, silently triggers the execution of a PowerShell script responsible for retrieving the main payload from an external server (e.g., sorvetenopoate[.]com).
The downloaded payload is a batch script designed to establish persistence on the host by copying itself to the Windows Startup folder so that it’s automatically launched following a system start. It’s also designed to run a PowerShell command that reaches out to a command-and-control (C2) server to fetch further instructions or additional malicious components.
Central to SORVEPOTEL operations is the WhatsApp-focused propagation mechanism. If the malware detects that WhatsApp Web is active on the infected system, it proceeds to distribute the malicious ZIP file to all contacts and groups associated with the victim’s compromised account, allowing it to spread rapidly.
“This automated spreading results in a high volume of spam messages and frequently leads to account suspensions or bans due to violations of WhatsApp’s terms of service,” Trend Micro said.
“The Water Saci campaign demonstrates how threat actors are increasingly leveraging popular communication platforms like WhatsApp to achieve rapid, large-scale malware propagation with minimal user interaction. By combining convincing tried-and-tested phishing tactics, automated session exploitation, and evasion techniques, Water Saci is likely to spread fast.”
Update
Trend Micro has since updated its initial analysis to share details of a PowerShell payload downloaded from the C2 server that’s responsible for dropping next-stage shellcode capable of monitoring banking-related activity.
“The downloaded payload is a PowerShell script that reflectively loads a .NET DLL that pulls shellcode from the C&C server, injects it into powershell_ise.exe to monitor, and supports propagation (including via WhatsApp) while maintaining contact with multiple C2 servers,” the company said.
Specifically, the batch file obtains a PowerShell script that’s executed directly in memory to launch a .NET DLL binary, which then reaches out to an external server (“zapgrande[.]com”) to fetch a malware called Maverick.StageTwo and a downloader DLL associated with hijacking WhatsApp Web that runs only on systems with an active, logged-in WhatsApp session.
Prior to fetching these two payload, the DLL implements anti-analysis checks by scanning running processes for names related to debugging or reverse engineering tools such as apimonitor, blurp, fiddler, ghidra, IDA, windbg, wireshark, and x64debug, among others.
A .NET executable, Maverick.StageTwo establishes persistence using a batch script and checks active browser window URLs a hard-coded list of 65 financial institutions in Latin America, particularly this located in Brazil. If the website visited by a victim is a match, the malware proceeds to invoke a core component called Maverick.Agent to establish communication with a C2 server and await further instructions.
The commands allow the malware to collect system information, take screenshots, log keystrokes, inject one or more characters into the system, creat overlay screens that block keyboard and mouse interactions, gather a list of installed applications, and serve fake banking security alerts or phishing pages to steal user credentials and authentication tokens.
Some of the notable targets of the activity include Banco do Brasil, Bradesco, Binance, Caixa Econômica Federal (CEF), Itaú Unibanco, Mercado Pago, Banco do Nordeste, Santander, and Sicredi.
The second DLL, on the other hand, leverages browser automation tools like Selenium to control WhatApp Web and send messages containing the malware to other contacts and groups the victim belongs to.
(The story has been updated after publication to include additional details from Trend Micro.)
