Cybersecurity researchers have discovered an active malware campaign that uses WhatsApp messages to spread malicious VBScript files. According to findings from Kaspersky, the attackers are targeting users of both WhatsApp Desktop and WhatsApp Web. Victims have been identified in several countries, including India, Malaysia, Brazil, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam. Malaysia has recorded the highest number of affected users.
The attackers send files that appear to be normal business or financial documents. These attachments use names such as financial reports, account statements, invoices, payment records, and debt notices to convince people that the files are legitimate. Because the messages often come from trusted contacts, many users may not suspect anything unusual and could open the attachment without hesitation.
Researchers believe the campaign is being distributed through previously compromised WhatsApp accounts. Once attackers gain access to an account, they use it to send malicious files to people in the victim’s contact list. This method increases the chances of success because recipients are more likely to trust files sent by someone they already know. The exact method used to compromise these WhatsApp accounts is still unknown.
The malicious attachments are heavily obfuscated VBScript files designed to hide their true purpose. Some file names have been translated into multiple languages, including Portuguese, French, German, and Malay, showing that the campaign is targeting users across different regions. Researchers also found comments inside the scripts that imitate legitimate Microsoft Windows Update components to make the files appear harmless.
When a victim opens the attachment, the script is executed through Windows Script Host using WScript.exe. The malware then creates a working directory on the system and connects to attacker-controlled servers to download additional components. These extra scripts are responsible for carrying out the next stages of the infection process while remaining difficult to detect.
The attack works slightly differently depending on whether the victim is using WhatsApp Web or WhatsApp Desktop. On WhatsApp Web, users must download the file and manually open it from their downloads folder. On WhatsApp Desktop, the file can be executed directly through the application, allowing the malicious process to begin immediately after the user opens the attachment.
The main goal of the malware is to install legitimate remote management software on the victim’s computer. During the later stages of the attack, the script downloads additional payloads, including one that attempts to modify Windows User Account Control settings. Another payload retrieves a compressed archive containing the installation package for ManageEngine RMM Central, which is then installed on the system.
Once ManageEngine RMM Central is installed, attackers can gain remote access to the compromised device using legitimate administration capabilities. Researchers have not officially attributed the campaign to a specific threat actor, although some infrastructure overlaps were found with previous activity linked to Gh0st RAT and ValleyRAT operations. Security experts recommend avoiding unexpected attachments on WhatsApp and verifying the legitimacy of script or executable files before opening them.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
