Full Report
The threat actor known as Water Saci is actively evolving its tactics, switching to a sophisticated, highly layered infection chain that uses HTML Application (HTA) files and PDFs to propagate a worm that deploys a banking trojan via WhatsApp in attacks targeting users in Brazil. The latest wave is characterized by the attackers shifting from PowerShell to a Python-based variant that spreads the
Analysis Summary
# Threat Actor: Water Saci
## Attribution & Identity
* **Identification:** Threat actor known as Water Saci.
* **Known Aliases/Associations:** Not explicitly detailed in context, but associated with Latin American (LATAM) banking trojan activities, with overlap in techniques seen in actors like Casbaneiro.
## Activity Summary
Water Saci is actively evolving its operations, shifting to a sophisticated, highly layered infection chain. The primary goal of recent activity is the mass propagation of a banking trojan via WhatsApp, targeting users in Brazil. The latest observed wave shows a technical shift from PowerShell-based propagation to a more resilient and faster Python-based variant that spreads malware in a worm-like manner over WhatsApp Web.
## Tactics, Techniques & Procedures
* **Infection Chain:** Highly layered approach utilizing a multi-format delivery mechanism (HTA files and PDFs).
* **Initial Access/Lure:**
* **PDF Lure:** Victims receive malicious PDFs instructing them to update Adobe Reader via an embedded link.
* **HTA Execution:** Opening HTA files executes a Visual Basic Script (VBS) which then runs PowerShell commands to fetch subsequent payloads.
* **Payload Delivery Method:** Previously used PowerShell; the latest variant utilizes a **Python script** for spreading malware via WhatsApp Web, enabling broader browser compatibility and faster automation.
* **Worm Functionality:** Malware spreads in a worm-like manner over **WhatsApp Web**.
* **Staging/Execution:** Payloads are fetched from a remote server, including an MSI installer and the Python propagation script.
* **Trojan Deployment:** The MSI installer delivers the banking trojan using an **AutoIt script**.
* **Persistence/Anti-Re-infection:** AutoIt script checks for a marker file named "executed.dat" to ensure only one instance of the trojan runs.
* **Command and Control (C2):** Communication to an attacker-controlled server occurs ("manoelimoveiscaioba[.]com").
* **Geographic Verification:** The AutoIt script checks if the system language is set to Portuguese (Brazil) before proceeding with banking checks.
* **Evasion/Infection:** The actor analyzes browsing history for targeted banking websites (Santander, Banco do Brasil, etc.) and checks for installed antivirus/security software.
* **Core Theft Mechanism:** Monitors open window titles against a hard-coded list of banks, payment platforms, exchanges, and crypto wallets.
* **Final Payload Injection:** A TDA file is located, decrypted, and injected into a hollowed **"svchost.exe"** process. Alternatively, if the TDA file is absent, the banking trojan (contained in a DMP file) is loaded directly into the AutoIt process memory.
* **Technology Shift:** Moving from PowerShell to Python for propagation scripts exemplifies a layered approach to bypass conventional security controls.
## Targeting
* **Sectors:** Financial/Banking sector victims who use specific Brazilian banking applications.
* **Geography:** Users located in **Brazil**.
* **Victims:** Users of banking applications/services, including but not limited to: Bradesco, Sicoob, Itaú, Santander, Banco do Brasil, Caixa Econômica Federal, and Sicredi.
## Tools & Infrastructure
* **Malware Families Used:** Banking Trojan, AutoIt script (loader/helper), Python script (spreader), MSI installer.
* **Infrastructure:** C2 domain specified as: manoelimoveiscaioba[.]com.
## Implications
Water Saci demonstrates continuous evolution by adopting Python for malware propagation, which enhances resilience, speed, and maintainability of attacks. The use of highly trusted social media channels (WhatsApp) combined with file execution tricks (HTA/PDF) exploits high levels of user trust. The specific targeting of Brazilian banking applications indicates intent for significant financial fraud.
## Mitigations
* Implement strong gateway security to inspect and block malicious HTA and script execution through document attachments.
* Restrict or monitor the execution of Python scripts originating from user-executed files, especially those interacting with messaging applications like WhatsApp Web.
* Employ host-based monitoring to detect process hollowing (injection into svchost.exe) and unusual executions of AutoIt scripts.
* Educate users in Brazil about phishing lures distributed via WhatsApp that trick them into installing software updates (Adobe Reader) or opening unexpected attachments.
* Ensure behavioral analysis detects file markers ("executed.dat") used for single-instance enforcement.