The Maverick malware campaign represents an evolution of the previously known Coyote banking trojan, both written in .NET and targeting Brazilian financial institutions. Maverick propagates primarily through WhatsApp Web by hijacking browser sessions using automation tools like ChromeDriver and Selenium. The infection starts when a user downloads and extracts a ZIP archive containing a Windows shortcut that triggers PowerShell scripts to disable Microsoft Defender and User Account Control (UAC), then downloads a .NET loader with anti-analysis features. This loader fetches the main malware modules: SORVEPOTEL, a self-propagating component, and Maverick itself. The malware monitors active browser tabs for URLs of targeted banks and, upon detection, communicates with a remote server to execute phishing attacks and credential theft. It restricts infection to Brazilian systems by checking locale settings. SORVEPOTEL automates WhatsApp Web sessions by copying legitimate Chrome profile data, including cookies and authentication tokens, allowing it to send malicious ZIP files to all contacts without triggering WhatsApp’s security measures or requiring QR code re-authentication. The malware uses a sophisticated email-based command-and-control (C2) infrastructure, connecting to attacker-controlled email accounts via IMAP to receive commands, enhancing stealth and resilience. Commands include system information gathering, file operations, process management, and remote control functions. The campaign’s focus on Brazil leverages WhatsApp’s massive user base there, enabling rapid spread and targeted attacks on banking customers and potentially other sectors such as hospitality. The malware’s modular design, stealth techniques, and multi-vector persistence mechanisms make it a potent threat within its targeted ecosystem.

For European organizations, the direct impact of Maverick is currently limited due to its strict targeting of Brazilian systems based on locale and language checks. However, European financial institutions with Brazilian clients or subsidiaries could face indirect risks if the malware evolves or spreads beyond its current geographic focus. The use of WhatsApp Web for propagation highlights the risk of social engineering and lateral spread through trusted communication channels, which are widely used in Europe as well. If threat actors adapt Maverick’s techniques to European languages and banking URLs, the malware could pose a significant threat to European banks and their customers. Additionally, the malware’s ability to disable security controls and establish persistent, stealthy backdoors could facilitate further attacks such as data theft, fraud, and ransomware deployment. The use of email-based C2 infrastructure complicates detection and response, potentially allowing prolonged undetected presence in networks. European organizations should be aware of the evolving tactics leveraging legitimate applications and browser profiles to bypass traditional security measures.

European organizations should implement advanced endpoint detection and response (EDR) solutions capable of detecting suspicious PowerShell and VBScript activity, especially those attempting to disable security features like Microsoft Defender and UAC. Monitoring and restricting the use of automation tools such as ChromeDriver and Selenium on endpoints can help prevent browser session hijacking. Network defenses should include filtering and monitoring of unusual IMAP traffic and connections to suspicious email accounts used for C2 communications. User education campaigns must emphasize the risks of opening unsolicited ZIP files and the dangers of malware propagation through trusted messaging platforms like WhatsApp. Organizations should enforce strict application control policies to prevent execution of unauthorized scripts and binaries, and employ behavioral analytics to detect anomalous browser profile copying or session hijacking attempts. Multi-factor authentication (MFA) should be enforced on all email and critical system accounts to hinder attacker access to C2 infrastructure. Finally, collaboration with local and international threat intelligence sharing communities can provide early warnings if the malware expands beyond Brazil.