Full Report
How to avoid social engineering attacks? Employee training tops the list Be careful what you click on. Miscreants are abusing WhatsApp messages in a multi-stage attack that delivers malicious Microsoft Installer (MSI) packages, allowing criminals to control victims' machines and access all of their data.…
Analysis Summary
# Tool/Technique: Multi-Stage WhatsApp MSI Delivery
## Overview
This attack involves a multi-stage infection chain initiated via WhatsApp social engineering. Attackers leverage compromised accounts or urgent lures to trick users into executing malicious scripts, eventually leading to the deployment of Remote Access Tools (RATs) and legitimate remote management software (AnyDesk) to gain full control over the victim's machine.
## Technical Details
- **Type:** Malware Campaign / Downloader
- **Platform:** Windows
- **Capabilities:** Remote access, data exfiltration, persistence, UAC manipulation, and Living-off-the-Land (LotL) execution.
- **First Seen:** February 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.003 - Phishing: Spearphishing Service] (WhatsApp delivery)
- **[TA0002 - Execution]**
- [T1059.005 - Command and Scripting Interpreter: Visual Basic]
- [T1218.007 - System Binary Proxy Execution: Msiexec]
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]
- **[TA0005 - Defense Evasion]**
- [T1036.003 - Masquerading: Rename System Utilities]
- [T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control]
- [T1105 - Ingress Tool Transfer] (Using curl/bitsadmin)
- **[TA0009 - Collection]**
- [T1005 - Data from Local System]
## Functionality
### Core Capabilities
- **Social Engineering:** Delivery via WhatsApp using compromised contacts or high-pressure lures.
- **Payload Downloading:** Uses renamed Windows binaries (`curl.exe`, `bitsadmin.exe`) to fetch secondary stages from cloud providers.
- **Persistence:** Attempts to gain elevated privileges and modifies system settings to ensure survival after reboots.
- **Remote Access:** Final stage deployment involves MSI packages that install remote desktop software or custom RATs.
### Advanced Features
- **Legacy Infrastructure Abuse:** Hosts malicious payloads on trusted cloud services (AWS, Tencent, Backblaze B2) to bypass domain reputation filters.
- **Living-off-the-Land (LotL):** Minimizes the footprint by using legitimate (though renamed) Windows utilities.
- **Metadata Discrepancy:** While the files are renamed (e.g., `netapi.dll`), the internal PE metadata remains unchanged, a common oversight in this specific campaign.
## Indicators of Compromise
- **File Names:**
- `auxs.vbs`, `2009.vbs` (Secondary payloads)
- `Setup.msi`, `WinRAR.msi`, `LinkPoint.msi`, `AnyDesk.msi` (Final payloads)
- `netapi.dll` (Actually `curl.exe`)
- `sc.exe` (Actually `bitsadmin.exe`)
- **Registry Keys:** Changes to User Account Control (UAC) settings to facilitate elevation.
- **Network Indicators:**
- Connections to `s3[.]amazonaws[.]com`
- Connections to `backblazeb2[.]com`
- Connections to Tencent Cloud infrastructure.
- **Behavioral Indicators:**
- Creation of hidden folders in `C:\ProgramData`.
- PE Metadata mismatch (OriginalFileName vs. current FileName).
- Repeated attempts to launch `cmd.exe` with elevated privileges.
## Associated Threat Actors
- Unknown (Current activity tracked to a campaign starting in late Feb 2026).
## Detection Methods
- **Signature-based:** Traditional AV signatures for the VBS scripts and unsigned MSI installers.
- **Behavioral Detection:**
- Monitoring for `curl` or `bitsadmin` execution from non-standard paths (e.g., `C:\ProgramData`).
- Flagging processes where the on-disk filename does not match the `OriginalFileName` in the PE header metadata.
- **EDR Alerts:** Detection of UAC modification attempts followed by unsigned MSI installations.
## Mitigation Strategies
- **Prevention:**
- Employee training focused on "Smishing" and social engineering via instant messaging platforms like WhatsApp.
- Restricted execution of VBS scripts via Attack Surface Reduction (ASR) rules.
- **Hardening:**
- Implement "AppLocker" or "Windows Defender Application Control" (WDAC) to block unsigned MSI files.
- Ensure UAC is set to "Always Notify" and users do not have local administrative rights.
## Related Tools/Techniques
- **AnyDesk:** Legitimate software abused for unauthorized remote access.
- **Living-off-the-Land Binaries (LoLBins):** Use of native Windows tools to circumvent security controls.