—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Current Activities

Malware Campaign spreading through WhatsApp Attachments

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

It has been observed that a large-scale malware distribution campaign is targeting WhatsApp Desktop and WhatsApp Web users. The campaign distributes malicious Visual Basic Script (VBScript) files through direct messages on the platform. Threat actors leverage compromised WhatsApp accounts to send malicious attachments directly to victims, making the messages appear legitimate and significantly increasing the likelihood of successful compromise.

WhatsApp is a cross-platform instant messaging application that enables users to exchange messages, files, images, videos and other content across desktop and web platforms.

Attackers use previously compromised WhatsApp accounts to send malicious VBScript (.vbs) files to existing contacts. Because the messages originate from trusted contacts, recipients may be more inclined to open the attachment.

The malicious files are disguised as routine business documents, such as:

Invoices

Bank statements

Payment records

Account statements

Debt notices

The filenames are localized in several languages, including English, Portuguese, French, German, and Malay, indicating a broad targeting strategy. In addition, the VBScript samples contain extensive comments and metadata intended to mimic legitimate Microsoft Windows Update components.

Once a victim opens the malicious attachment the following events will occur:

The VBScript executes on the system.

A working directory is created under the public documents folder.

Additional scripts are downloaded from attacker-controlled infrastructure.

The scripts execute via Windows Script Host.

A compressed archive is downloaded and extracted.

A Remote Monitoring and Management (RMM) package is installed.

Attackers gain remote access capabilities on the compromised device.

The malware also includes comments and metadata designed to imitate legitimate Microsoft Windows Update components, helping it evade suspicion.

Impact

Successful exploitation may result in:

Unauthorized remote access to endpoints

Credential theft

Deployment of additional malware

Data exfiltration

Lateral movement within organizational networks

Business disruption and financial losses

Best practices

To protect against the ongoing WhatsApp malware campaign and similar threats, users should follow these security practices:

1.  Be Cautious with Unexpected Attachments

Do not open attachments you were not expecting, even if they come from a friend, colleague, or family member.

Be suspicious of files claiming to be invoices, payment receipts, account statements, or financial documents.

2.  Verify with the Sender

Contact the sender through a phone call or separate message to confirm they intentionally sent the file.

If the sender’s message seems unusual or out of character, treat it as suspicious.

3.  Avoid Clicking on Suspicious Links

Do not click on links from unknown or unexpected messages.

Verify shortened or unfamiliar URLs before opening them.

4.  Check the File Extension

Avoid opening files with extensions such as:

.vbs

.vbe

.exe

.bat

.cmd

.js

.ps1

These file types can execute commands on your device and may install malware.

5.  Keep Your Device Updated

Install security updates for your operating system as soon as they become available.

Keep browsers, messaging applications, and antivirus software updated.

6.  Use Security Software

Install reputable antivirus or endpoint protection software.

Enable real-time protection and automatic updates.

7.  Enable Two-Factor Authentication (2FA)

Enable two-step verification on WhatsApp and other online accounts.

Use a strong, unique PIN or password.

8.  Review Linked Devices Regularly

Periodically check the devices linked to your WhatsApp account.

Log out of any device you do not recognize.

9.  Download Software Only from Trusted Sources

Install applications only from official app stores or vendor websites.

Avoid downloading software shared through messaging platforms.

10.  Protect Personal and Financial Information

Never share passwords, OTPs, banking credentials, or sensitive personal information through messaging apps.

Be cautious of messages creating urgency or requesting immediate action.

11.  Report Suspicious Messages

Report suspicious messages to your organization’s IT/security team, if applicable.

Use WhatsApp’s reporting and blocking features for suspected malicious accounts.

References

https://www.kaspersky.com/about/press-releases/kaspersky-uncovers-a-new-massive-campaign-spreading-malware-via-whatsapp

https://securelist.com/whatsapp-vbs-rmm-campaign/120290/

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmo9PNEACgkQ3jCgcSdc

ys+V2A//a2M8Nwn3ihkn20wpYNTFUZh5iAD9lqBlqw6TY72LW8TWnpXBQrkDL/9C

ntKTP67s0A4ZKiibB+aaLXMGLCTH7hV6oaur8d5I/nHXLyK0hcKQrxSODYWGuaWS

H0x8GRub7qJGkFXPmxH9ym9GnCagA9PW56OvntMwxVhqWKWC8mkUKVCR8molP9WQ

jLKkfhTTa6qxP6BolqMuqE7QyzvSy/c5eQ2FtiHY7km5OKvBXcHM6FJBkmwKikyo

piMHaoRXTRbwNLWTmM4M7hJhe1PegyiS4GPQi73FosiVZsXGdiX8TIUrolPu4MQJ

l+vsXTzNr/gomo4dxTBDGzyKVtvOxCnWb/1Kqo1EmoslR8mzUQBbHopfaD27Jkhg

adl0okbAILCU1yYc9xhkgBStULcvSWlyWOD4lA/tr/1C1cInmJ5n/z7VtovqpD6X

Hw7Bs+S/i7rCZSjD/F4TWcqHz4+hSJZ7uwu6NO0TmGlRIi0sYAmURW0+crd42ADT

GbpETqS6nIyKz1lWNroCTtnZNt026MbgCXUiqnsR4YCEZO7nY+hZpY3rxrBn0b8s

v5ifVMaj+hZG8cRsdpMwPS8Z08hKL1PTPF3fB93als/e+jZ2SsTLGjUeydk0nxlD

YKFke29vCjQNRxXibXO2Yl8BUnVdBc1u5fhAk1NQei387Dvjvl8=

=qi49

—–END PGP SIGNATURE—–