This malware campaign exploits WhatsApp as a delivery vector, sending malicious Visual Basic Script (VBS) files to users. Upon execution, the VBS initiates a complex, multi-stage infection chain. The malware uses renamed Windows utilities to evade signature-based detection and downloads additional payloads hosted on trusted cloud platforms, complicating network-based detection. It installs malicious MSI installers that are unsigned, which serve as backdoors providing remote access and persistence on victim machines. The campaign employs social engineering tactics to convince users to execute the initial VBS file, leveraging the trust users place in WhatsApp communications. Privilege escalation is achieved through User Account Control (UAC) bypass techniques, allowing the malware to gain elevated rights without triggering alerts. The use of legitimate Windows tools and trusted cloud services reduces the likelihood of detection by traditional security solutions. The campaign also includes mechanisms for persistence, such as installing MSI packages that execute on system startup or via scheduled tasks. Indicators of compromise include numerous file hashes associated with the VBS and MSI payloads. The attack chain aligns with MITRE ATT&CK techniques including T1566 (Phishing), T1204.002 (User Execution: Malicious File), T1548.002 (UAC Bypass), T1543.003 (Windows Service), T1053 (Scheduled Task), T1055 (Process Injection), and T1078 (Valid Accounts). No CVE or known exploits in the wild are currently associated with this campaign, but its complexity and stealth make it a significant threat to Windows users receiving WhatsApp messages.

The campaign poses a significant risk to organizations and individuals using WhatsApp on Windows platforms. Successful infection can lead to unauthorized remote access, allowing attackers to exfiltrate sensitive data, deploy additional malware, or move laterally within networks. The use of trusted cloud services for payload delivery complicates detection and response efforts. Privilege escalation and persistence mechanisms increase the difficulty of eradication, potentially leading to prolonged compromise. The social engineering component increases the likelihood of user execution, especially in environments where WhatsApp is widely used for communication. Organizations may experience data breaches, operational disruption, and reputational damage. The campaign's stealth techniques reduce visibility, increasing the risk of unnoticed infiltration. Although no widespread exploitation is reported yet, the campaign's sophistication suggests it could be leveraged for targeted attacks against high-value entities or broad opportunistic campaigns.

1. Educate users about the risks of executing unsolicited or unexpected files received via WhatsApp or other messaging platforms, emphasizing caution with VBS and MSI files. 2. Implement application whitelisting to prevent execution of unsigned MSI installers and unauthorized scripts. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting suspicious use of renamed Windows utilities and anomalous script execution. 4. Monitor network traffic for unusual connections to cloud service providers that may indicate payload retrieval. 5. Enforce strict User Account Control (UAC) policies and monitor for UAC bypass attempts. 6. Use multi-factor authentication (MFA) to protect accounts that could be leveraged for lateral movement. 7. Regularly audit scheduled tasks, services, and startup items for unauthorized changes. 8. Block or restrict the use of scripting environments like Windows Script Host (WSH) where not necessary. 9. Maintain up-to-date antivirus and antimalware signatures and heuristics tuned to detect script-based threats. 10. Establish incident response procedures to quickly isolate and remediate infected systems upon detection.