Eternidade Stealer is a recently identified banking Trojan campaign discovered by Trustwave SpiderLabs researchers. The malware is distributed through a novel propagation method involving WhatsApp hijacking, where a Python-written WhatsApp worm spreads malicious attachments to contacts of infected users. Upon execution, the delivered MSI installer deploys a Delphi-based banking Trojan designed to steal banking credentials and facilitate fraudulent transactions. The campaign leverages social engineering lures to convince victims to open the malicious attachments, which is critical for infection. The Trojan targets Windows operating systems, exploiting the MSI installer format to execute its payload. Although no known exploits are reported in the wild, the campaign's use of a worm component to self-propagate via WhatsApp is notable for its potential rapid spread within social networks. The medium severity rating assigned reflects the threat's potential to compromise confidentiality and integrity of banking information, moderate ease of exploitation requiring user interaction, and the limited scope to Windows users who engage with the malicious content. The campaign's reliance on WhatsApp, a widely used messaging platform, increases its reach and potential impact, especially in regions with high WhatsApp adoption. The Delphi-based Trojan likely includes capabilities for credential theft, keylogging, or web injection to facilitate banking fraud. The campaign's social engineering aspect and propagation method represent a sophisticated approach to malware distribution targeting financial data theft.

For European organizations, the Eternidade Stealer campaign poses a significant threat to financial institutions and any entities with employees or customers using WhatsApp on Windows devices. The Trojan's ability to steal banking credentials can lead to direct financial losses, unauthorized transactions, and reputational damage. The worm-like propagation through WhatsApp contacts increases the risk of rapid internal spread within organizations or across personal networks, potentially compromising multiple users. The reliance on social engineering means that user awareness is a critical factor; however, successful infections can lead to data breaches affecting confidentiality and integrity of sensitive financial information. The campaign could disrupt banking operations and increase fraud-related costs. Additionally, organizations may face regulatory consequences under GDPR if customer financial data is compromised. The threat is particularly impactful in sectors with high dependence on digital banking and remote communications, which are prevalent across Europe.

To mitigate the risk posed by Eternidade Stealer, European organizations should implement targeted measures beyond generic advice: 1) Conduct focused user awareness training emphasizing the risks of opening unsolicited attachments received via WhatsApp or other messaging platforms, highlighting the specific threat of social engineering via trusted contacts. 2) Enforce application whitelisting policies to restrict execution of MSI installers from untrusted sources, reducing the risk of Trojan deployment. 3) Deploy endpoint detection and response (EDR) solutions capable of identifying suspicious MSI execution and Delphi-based malware behaviors. 4) Monitor network traffic for unusual WhatsApp activity or mass messaging patterns indicative of worm propagation. 5) Encourage the use of multi-factor authentication (MFA) for banking and critical systems to limit the impact of credential theft. 6) Collaborate with internal IT and security teams to establish rapid incident response protocols for suspected infections. 7) Regularly update and patch Windows systems and security software to reduce exploitation vectors. 8) Consider restricting or monitoring the use of personal messaging apps on corporate devices where feasible. These measures collectively reduce the likelihood of infection and limit the damage caused by successful compromises.