Full Report
LevelBlue SpiderLabs researchers have recently identified a banking Trojan we dubbed Eternidade Stealer, which is distributed through WhatsApp hijacking and social engineering lures. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group.
Analysis Summary
# Tool/Technique: Eternidade Stealer
## Overview
Eternidade Stealer is a newly identified banking Trojan actively distributed in a campaign that leverages WhatsApp hijacking and social engineering techniques.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Not explicitly stated, but the distribution method (WhatsApp) and associated scripts (VBS, Python) suggest Windows as the primary target environment for execution.
- Capabilities: Credential theft and banking fraud, distributed via compromised messaging applications.
- First Seen: November 19, 2025 (Date of article publication).
| Component | Hash (Example) |
|---|---|
| VBS | `e1779d9810ad39a45759c856cc85f1148a8f6601`, `e3e24d57163e04ac16a93a698d4c8051473bccb4` |
| Whats.py | `8f3b5a0cecd4d50fc6eb52a627fe6a9179e71736`, `167cc2d716bfebc440f14ff1affe7f99b8556f2e` |
| Payload | `db5545b6136f1197fd5234695cdeff285a99208e`, `03944933d662f4e96d43750aa29bd287685c6007` |
## MITRE ATT&CK Mapping
The observed distribution and execution techniques map to the following:
- **Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied via social engineering delivery)
- **Execution**
- T1204 - User Execution
- T1204.001 - Malicious File
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (Implied by VBS usage)
- T1059.005 - Visual Basic
- **Collection**
- T1555 - Credentials from Password Stores (Implied by "Banking Trojan")
## Functionality
### Core Capabilities
1. **Initial Delivery:** Utilizing social engineering campaigns targeting WhatsApp users.
2. **Execution Chain:** Employing a VBScript (`teste_obscado.vbs`) to initiate the subsequent malware stages.
3. **WhatsApp Hijacking Tool:** Deployment of a Python script named `Whats.py` likely used to compromise or leverage the WhatsApp application environment.
4. **Payload Dropping:** Distribution of a final MSI installer containing the banking Trojan payload.
### Advanced Features
The malware is explicitly labeled a "Banking Trojan," suggesting deep capabilities in:
- **Credential Harvesting:** Targeting saved credentials, particularly those related to financial applications.
- **Session Hijacking/Data Exfiltration:** Communications established with C2 infrastructure (`receptor.php`) to send stolen data.
## Indicators of Compromise
- File Hashes:
- VBS: `e1779d9810ad39a45759c856cc85f1148a8f6601`, `e3e24d57163e04ac16a93a698d4c8051473bccb4`
- Whats.py: `8f3b5a0cecd4d50fc6eb52a627fe6a9179e71736`, `167cc2d716bfebc440f14ff1affe7f99b8556f2e`
- Payload: `db5545b6136f1197fd5234695cdeff285a99208e`, `03944933d662f4e96d43750aa29bd287685c6007`
- File Names: `teste_obscado.vbs`, `whats.py`, `installer.msi`
- Registry Keys: Not specified in the context.
- Network Indicators:
- Domains: `varegjopeaks[.]com`, `centrogauchodabahia123[.]com`, `itrexmssl[.]com`, `alentodolcevitad[.]com`, `miportuarios[.]com`, `mazdafinancialsevrices[.]com`, `adilsonralfadvocaciad[.]com`, `domimoveis1[.]com[.]br`, `serverseistemasatu[.]com`.
- IPs: `104.21.48[.]41`, `162.120.71[.]56`, `185.169.234[.]139`, `83.229.17[.]71`, `140.99.164[.]172`, `174.138.187[.]2`
- Behavioral Indicators: Execution chains involving VBS launching Python scripts to manipulate communication applications.
## Associated Threat Actors
The context does not name a specific threat group, but the research attributes the campaign to a "threat group" employing these "new tools."
## Detection Methods
- Signature-based detection: Use the provided file hashes against threat intelligence platforms.
- Behavioral detection: Monitor for the launch of Python scripts (`whats.py`) or VBScript associated with files downloaded from unusual network locations, especially preceding attempts to access credentials or financial data.
- YARA rules: Not specified in the context.
## Mitigation Strategies
- **Prevention:** Users should be highly cautious of unsolicited files or links received via WhatsApp, even from known contacts, as accounts are being hijacked.
- **Hardening:** Implement application control to restrict the execution of VBScript or Python from temporary directories or email/messaging application paths. Ensure endpoint protection is configured to detect and block common credential-stealing behaviors.
## Related Tools/Techniques
- **Whats.py**: A custom or repurposed Python tool specifically designed to interact with or hijack WhatsApp data/sessions.
- **VBS (Visual Basic Script)**: Commonly used for initial execution and evasion on Windows systems.