WhatsApp-Based Malware Exfiltrates Contacts to Attack Server and Installs Additional Payloads

Trustwave SpiderLabs researchers have uncovered a new banking trojan dubbed Eternidade Stealer, actively spreading in Brazil via malicious WhatsApp messages and advanced social engineering tactics.

This ongoing campaign leverages automated messaging, targeted account takeover, and multi-stage payload installation to compromise victims’ financial and personal accounts.​

WhatsApp-Based Malware Exfiltrates Contacts to Attack Server

The campaign begins when a user receives an obfuscated VBScript disguised as a friendly message on WhatsApp.

The script, written with Portuguese-language comments, launches a batch file that downloads payloads, including a WhatsApp-propagating worm and an MSI installer for the core trojan.

The worm, crafted in Python, automates WhatsApp’s messaging features to hijack accounts and distribute further malware, demonstrating a marked shift from the PowerShell scripts commonly used in older attacks.

What makes Eternidade Stealer stand out is its focus on extracting entire WhatsApp contact lists for rapid threat propagation.

The malware exploits the wppconnect-w.js library to retrieve contacts programmatically, filtering out groups and business numbers to target individuals more likely to fall for phishing lures.

Stolen contacts, complete with names and phone numbers, are immediately sent via HTTP POST to the attacker’s command-and-control (C2) server.

Attackers personalize the malicious message based on time of day (“bom dia”, “boa tarde”, “boa noite”) and contact name, mimicking legitimate business communication. The actual malware file is delivered alongside this greeting to maximize click rates and infection success.

Installs Additional Payloads, Targeting Financial and Crypto Accounts

The next stage involves a malicious MSI installer that unpacks several components, including encrypted payloads and an AutoIt script loader for in-memory execution.

The stealer is highly targeted, checking the operating system’s language settings to ensure it only affects Brazilian users; others see an error prompt, and malware halts execution.

The script also conducts thorough reconnaissance, harvesting details about the victim’s system, IP address, running processes, and installed security products using WMI and registry queries.

Eternidade’s ability to dynamically update its C2 address using IMAP makes takedowns exceptionally difficult.

By logging in to a hardcoded email account over SSL, it retrieves the latest active C2 address. It falls back on a preset server if the email connection fails, helping the attacker maintain persistence and avoid network-based detection.

Once installed, Eternidade Stealer operates as a sophisticated credential and account information stealer. It actively monitors open applications and browser windows for signs of Brazilian bank portals, fintech services, and cryptocurrency wallets.

If found, encrypted overlays and prompts are used to trick users into entering credentials, which are then sent to the attacker’s server. The malware can also receive remote commands to harvest keylog data, capture files, and upload stolen assets.

With its blend of regionally tailored delivery, real-time exfiltration, and modular architecture, Eternidade Stealer exemplifies the technical evolution of Brazilian cybercrime and the urgent need for defenders to monitor WhatsApp traffic and script execution closely.​

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post WhatsApp-Based Malware Exfiltrates Contacts to Attack Server and Installs Additional Payloads appeared first on Cyber Security News.