Sophisticated WhatsApp Malware Campaign Hits Brazilian Users
A dangerous new malware campaign is exploiting WhatsApp to distribute the Eternidade Stealer banking trojan throughout Brazil, according to recent findings from Trustwave SpiderLabs researchers. This sophisticated attack represents a significant evolution in Brazilian cybercrime tactics, using advanced social engineering methods and automated message propagation to compromise financial credentials and personal information.
How the Malware Attack Operates
The attack begins with an obfuscated Visual Basic Script that delivers two separate payloads: a Python-based WhatsApp worm and an MSI installer containing the Delphi-built Eternidade Stealer. The Python component specifically hijacks WhatsApp Web sessions by leveraging the open-source WPPConnect project, harvesting victims' complete contact lists while carefully filtering out groups and business accounts.
The malware then automatically sends malicious attachments to all contacts, using time-based greetings and personalized names to appear legitimate and increase the likelihood of victims opening the dangerous files. This automated propagation method makes the threat particularly dangerous as it can spread rapidly through personal networks.
Evading Detection and Targeting Specific Victims
According to Trustwave SpiderLabs, the stealer employs Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control server addresses from a terra.com.br email inbox. This technique enables attackers to continuously update their infrastructure and avoid detection or takedowns, mirroring tactics recently observed in the Water Saci campaign.
The malware specifically targets Brazilian users and includes a self-termination feature if the operating system language isn't set to Brazilian Portuguese. Once active, it monitors numerous banking portals, payment services, and cryptocurrency platforms including Bradesco, BTG Pactual, MercadoPago, Binance, and MetaMask.
When these targeted applications are detected, the stealer deploys custom credential-harvesting overlays designed to capture sensitive financial information from unsuspecting users.
Geographical Reach and Global Implications
Analysis of the threat actor's infrastructure revealed strict geofencing that permits only Brazilian and Argentine connections, with blocked attempts redirected to a Google error page. Despite this regional focus, Trustwave documented 454 connection attempts from 38 different countries, with the United States accounting for 196 connections alone.
While it remains unclear if the virus has spread to other countries in a significant way, the international connection attempts demonstrate the potential for wider impact. Brazil represents one of Meta-owned WhatsApp's largest markets, making this threat particularly concerning for the region's digital security landscape.
Security researchers emphasize that defenders should monitor for suspicious WhatsApp activity, unexpected MSI or script executions, and maintain heightened vigilance against this evolving threat targeting Latin American financial institutions. The campaign highlights the growing sophistication of regional cybercrime operations and the need for enhanced security measures across popular messaging platforms.
