Full Report
Cybersecurity researchers have disclosed details of a new campaign that leverages a combination of social engineering and WhatsApp hijacking to distribute a Delphi-based banking trojan named Eternidade Stealer as part of attacks targeting users in Brazil. "It uses Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control (C2) addresses, allowing the threat actor to
Analysis Summary
# Tool/Technique: Eternidade Stealer Malware Campaign
## Overview
This describes a multi-stage cyberattack campaign primarily targeting users in Brazil. It leverages social engineering and WhatsApp hijacking via a Python worm to distribute the Delphi-based **Eternidade Stealer** banking trojan. A key feature of the malware is its dynamic C2 update mechanism using IMAP.
## Technical Details
- Type: Malware (Banking Trojan) and associated delivery framework (Worm/Dropper scripts)
- Platform: Windows operating systems (inferred from use of VBScript, Batch, MSI, AutoIt, and process hollowing into `svchost.exe`).
- Capabilities: Credential stealing (banking, cryptocurrency), WhatsApp worm propagation, C2 dynamic retrieval, geo-targeting validation.
- First Seen: Information not explicitly provided, but context suggests a recent campaign evolution.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Delivery via WhatsApp message)
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - Malicious File
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (Via Batch script drop)
- **TA0005 - Defense Evasion**
- T1036 - Masquerading
- T1036.003 - Rename System Utilities (Implied by use of legitimate process names like `svchost.exe`)
- T1055 - Process Injection
- T1055.011 - Process Hollowing (Injecting payload into `svchost.exe`)
- **TA0007 - Discovery**
- T1083 - File and Directory Discovery (Implied by searching for security products)
- T1012 - Query Registry (Checking registry keys)
- T1082 - System Information Discovery (Profiling the machine)
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer
- T1105.001 - Dynamic Resolution (Dynamically retrieving C2 via IMAP)
## Functionality
### Core Capabilities
* **WhatsApp Worm Propagation:** A Python script uses the WPPConnect project to automate WhatsApp Web, harvest contacts, and send malicious attachments in a worm-like fashion to propagate the infection.
* **Geo-Targeting:** The MSI payload utilizes an AutoIt script to check the OS language. If it is not Brazilian Portuguese, the malware self-terminates, indicating Brazil-specific targeting.
* **Credential Harvesting:** The Delphi-based Eternidade Stealer scans active windows for banking, payment service, and cryptocurrency application strings (e.g., Bradesco, MercadoPago, Binance, MetaMask).
### Advanced Features
* **Dynamic C2 Retrieval:** The malware communicates using IMAP to pull up-to-date Command-and-Control (C2) server addresses from an email inbox (`terra.com[.]br`), enabling the threat actor to rapidly update infrastructure.
* **Process Hollowing:** The final payload injects the stealer module into the legitimate Windows process `svchost.exe` for persistence and evasion.
* **Overlay/Banker Tactic:** The stealer lies dormant until a targeted banking or wallet application window is active, ensuring relevance and evading sandbox analysis based on casual user behavior.
## Indicators of Compromise
- File Hashes: N/A (Not provided in the text)
- File Names: Obfuscated Visual Basic Script (initial dropper), Python script, MSI installer, AutoIt script.
- Registry Keys: Scanned for presence of security products (specific keys not listed).
- Network Indicators:
- **C2 Communication:** HTTP POST requests (for contact harvesting).
- **C2 Retrieval:** IMAP connection to an inbox linked to a `terra.com[.]br` email address.
- Behavioral Indicators: Checking OS language, scanning running processes for security products, injecting into `svchost.exe`.
## Associated Threat Actors
The text does not name a specific threat actor group but notes the activity is part of a broader trend targeting Brazil, potentially related to actors previously associated with SORVEPOTEL or Coyote malware variants.
## Detection Methods
- Signature-based detection: Signatures for the Delphi-based Eternidade Stealer binary.
- Behavioral detection: Monitoring for Python scripts automating WhatsApp Web (WPPConnect artifacts), execution of VBS/Batch scripts followed by MSI installation, and process injection into `svchost.exe` (process hollowing).
- YARA rules: N/A (Not provided in the text)
## Mitigation Strategies
- Social Engineering Awareness: Educate users on the dangers of clicking unknown attachments received via social media/messaging apps, even from trusted contacts.
- Application Control: Restrict execution of VBScript, Batch files, and MSI installers from untrusted sources.
- Network Monitoring: Monitor for unusual outbound IMAP traffic linked to non-standard client authentication, especially if tied to email addresses associated with the targeted domain pattern.
- Application Whitelisting: Prevent unauthorized injection into critical system processes like `svchost.exe`.
## Related Tools/Techniques
* **SORVEPOTEL:** A previously documented WhatsApp Web worm campaign targeting Brazilian users.
* **Coyote:** A .NET banking trojan assessed as an evolution potentially related to the overall activity cluster.
* **WPPConnect:** Open-source project leveraged by the Python script to automate WhatsApp Web interactions.
* **Delphi-based Malware:** A noted preference within Latin American threat actors for this development language.