WhatsApp Security Vulnerabilities Exploited by New Worm

Cybersecurity researchers have recently uncovered a new worm that exploits WhatsApp to distribute malware, specifically a Delphi-based banking trojan known as Eternidade Stealer, primarily targeting users in Brazil.

According to a report from The Hacker News, this campaign employs a combination of social engineering and WhatsApp hijacking, utilizing a Python script to hijack accounts and spread malicious attachments.

Researchers from Trustwave SpiderLabs noted that this represents a shift from previous PowerShell-based scripts, indicating an evolution in the tactics employed by threat actors. The malware uses the Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control addresses, allowing attackers to maintain control over the distributed malware.

The infection starts with an obfuscated Visual Basic Script that, once executed, triggers a batch script to deliver two payloads. One payload is a Python script that disseminates the malware via WhatsApp Web, while the other is an MSI installer that uses an AutoIt script to launch the Eternidade Stealer.

This Python script harvests the victim's entire contact list, sending details such as WhatsApp phone numbers and names back to the attacker-controlled server, which allows for mass distribution of malicious attachments to contacts.

The MSI installer also checks if the compromised system is based in Brazil, reflecting a hyper-localized targeting approach. Once installed, Eternidade Stealer monitors active windows for strings related to banking and cryptocurrency applications, ensuring that the malware activates only in relevant contexts, which can evade detection.

Trustwave emphasized the potential for this malware to have a broader operational footprint beyond Brazil. In a related discovery, researchers from the University of Vienna and SBA Research revealed a significant privacy vulnerability in WhatsApp's contact discovery mechanism, which allowed for the enumeration of 3.5 billion accounts, highlighting ongoing security challenges in popular communication platforms.

This vulnerability, which has since been mitigated by Meta, underscores the risks associated with centralized messaging services and the importance of continuous security research. The researchers demonstrated that this flaw could be exploited to query over 100 million phone numbers per hour, allowing them to map user data worldwide.

Although no personal message content was accessed due to WhatsApp's end-to-end encryption, the study showcased how metadata could still pose privacy risks. Nitin Gupta, Vice President of Engineering at WhatsApp, confirmed that user messages remained secure, and the data collected during the research was responsibly deleted.

These developments highlight the necessity for users to be vigilant against social engineering tactics and to ensure that their personal devices are adequately secured against emerging threats.