This threat involves a sophisticated phishing campaign primarily targeting Brazilian users, leveraging WhatsApp Web as a propagation vector. The attack chain begins with a phishing email containing a malicious Visual Basic Script (VBS) that downloads and executes two components: an MSI installer and a secondary VBS script. The secondary VBS installs Python and Selenium, which are automation tools commonly used for browser control. Using Selenium, the attackers inject malicious JavaScript into the victim's WhatsApp Web session, enabling the malware to automatically send itself to the victim's WhatsApp contacts, facilitating rapid spread through social engineering. The MSI installer drops an AutoIt script that continuously monitors for windows related to Brazilian banking and cryptocurrency applications. Upon detecting such windows, it loads an encrypted payload directly into memory, avoiding writing to disk and thus evading traditional antivirus detection. This payload is a banking trojan designed to steal credentials and manipulate transactions specifically targeting Brazilian financial institutions and cryptocurrency wallets. The use of in-memory execution, automation frameworks, and social media platforms for propagation demonstrates a multi-layered approach to stealth and infection. Although no known exploits in the wild have been reported, the campaign's complexity and targeting indicate a focused threat against Brazilian financial users. The malware employs multiple MITRE ATT&CK techniques including T1113 (screen capture), T1056.001 (input capture: keylogging), T1059.007 (command and scripting interpreter: JavaScript), T1106 (execution through API), and T1566 (phishing). The campaign's reliance on WhatsApp Web and automation scripts is notable for its innovative propagation method. While currently focused on Brazil, the approach could be adapted to other regions if successful.

For European organizations, the direct impact is currently limited due to the campaign's focus on Brazilian banking and cryptocurrency targets and the use of Portuguese-language phishing lures. However, European users with contacts in Brazil or those using WhatsApp Web could be indirectly affected if the malware spreads beyond its initial target. Financial institutions and cryptocurrency platforms in Europe could face risks if attackers adapt the malware to local targets. The use of in-memory execution and automation tools complicates detection and response, potentially leading to credential theft, financial fraud, and lateral movement within networks. The malware's ability to propagate via WhatsApp Web contacts increases the risk of rapid spread within connected user communities, including multinational corporations with Brazilian ties. Additionally, European organizations with remote or hybrid workforces using WhatsApp Web may be vulnerable to social engineering attacks leveraging this malware. The campaign highlights the growing risk of malware leveraging popular communication platforms for propagation, which could undermine trust and security in enterprise messaging environments.

European organizations should implement targeted phishing awareness campaigns emphasizing the risks of executing scripts and opening attachments from unknown sources, especially VBS and MSI files. Deploy endpoint detection and response (EDR) solutions capable of detecting in-memory execution and unusual automation tool usage such as Python and Selenium. Monitor for suspicious activity involving WhatsApp Web sessions, including unexpected JavaScript injections or automated messaging behavior. Restrict or monitor the installation of scripting environments like Python and automation frameworks on corporate devices. Employ application whitelisting to prevent unauthorized execution of MSI installers and AutoIt scripts. Network monitoring should include detection of anomalous outbound connections to suspicious domains such as varegjopeaks.com and hash-based indicators of compromise. Encourage multi-factor authentication (MFA) for all financial and cryptocurrency-related accounts to reduce the impact of credential theft. Regularly update and patch systems to reduce the attack surface, even though no specific CVEs are associated with this campaign. Finally, collaborate with threat intelligence providers to stay informed about evolving tactics and indicators related to this campaign.