Malicious VBScript Campaign on WhatsApp Targeting Global Users
This brief highlights a malware campaign involving the distribution of malicious VBScript files via WhatsApp, with significant activity observed in multiple countries, particularly Malaysia. The campaign appears to exploit the trust of users by masquerading as business-related documents, repeating the trend of social engineering through familiar communication channels.
The campaign primarily targets users of WhatsApp Desktop and WhatsApp Web. Victims receive straightforward direct messages containing only the malicious attachment, increasing the likelihood of interaction. Once the file is executed, it initiates a multi-stage infection chain, ultimately leading to the installation of Remote Monitoring and Management (RMM) software.
Notably, the VBScript files utilized in this attack often feature names that resemble legitimate financial documents, such as “Financial Reports.vbs” and “Account Statement.vbs,” with many files localized in various languages. This strategy underlines a calculated effort to exploit geographical and linguistic factors to widen the pool of potential victims.
Delivery mechanisms for the VBScript include execution through Windows Script Host (WScript.exe) following user interactions in both WhatsApp applications. This process confirms the direct execution from WhatsApp Desktop and indicates that users must undertake two interaction steps to initiate the infection, which makes them more likely to trust the files they receive.
Defensive Context
This campaign poses a significant threat to users of WhatsApp, especially individuals and small organizations that may not have comprehensive security measures against such social engineering tactics. It’s particularly relevant for environments where remote access tools are misused, as RMM tools can provide extensive system control beneficial to adversaries.
Why This Matters
Entities that frequently rely on remote support tools should particularly scrutinize their user communication policies. The potential for widespread infection through trusted platforms like WhatsApp is alarming; users may be uniquely vulnerable to these tactics due to the relatively informal context of chat applications.
Defender Considerations
Defenders should monitor for unusual activity related to WhatsApp communications, emphasizing vigilance against unexpected file attachments. Understanding the delivery mechanisms of similar scripts can aid in identifying potential threats early.
Indicators of Compromise (IOCs)
-
VBScript file hashes:
- c7f38cbb99c8b74fa0465293feeba700 (Financial Reports.vbs)
- b7cd06c71465038b658a6dc1f273a507 (Debt confirmation.vbs)
-
IP Addresses associated with RMM software installations:
- 202.61.160.208
- 202.61.160.202
- 202.61.160.201
-
Domains associated with malicious infrastructure:
- temu.baskwms.top
- invoice.ms
This campaign highlights the evolving nature of malware distribution through social engineering, emphasizing the importance of security awareness in communication practices.
