Eternidade Stealer: A New WhatsApp Threat Exploiting Trust and Deploying Malware

The ubiquity of instant messaging platforms like WhatsApp has unfortunately made them fertile ground for malicious actors. Our analysis reveals a recent and concerning development: the emergence of Eternidade Stealer, a sophisticated banking trojan spreading rapidly through WhatsApp. This malware, identified by Trustwave SpiderLabs researchers, employs advanced social engineering and account hijacking to compromise users, exfiltrate contact information, and deploy further malware. This isn’t just another phishing attempt; it represents a significant escalation in the tactics employed by cybercriminals, particularly within Brazil’s evolving threat landscape.

Understanding the Threat: Eternidade Stealer’s Modus Operandi

Eternidade Stealer distinguishes itself through a multi-stage infection chain designed to maximize its reach and impact. Written in Delphi, a programming language often favored for its efficiency and ease of deployment, this banking trojan demonstrates a clear intent to target financial credentials immediately after compromising a device.

The attack initiates with a compelling social engineering lure presented via WhatsApp. This often involves a hijacked account sending a seemingly legitimate, but malicious, message to contacts. The unsuspecting recipient, trusting the sender, clicks on a deceptive link or opens an attachment, initiating the download of the initial dropper.

Once executed, the malware proceeds to perform key actions:

• Contact Exfiltration: One of the primary functions of Eternidade Stealer is to harvest contact information from the compromised device. This data is then transmitted to an attacker-controlled server, significantly expanding the potential victim pool for subsequent social engineering campaigns.
• Credential Theft: The core objective of Eternidade Stealer is to steal banking credentials and other sensitive financial information. It achieves this through various techniques, including overlay attacks, keylogging, and intercepting sensitive data input.
• Malware Deployment: Beyond stealing data, Eternidade Stealer acts as a platform for deploying additional malware, potentially including remote access trojans (RATs) or other forms of malicious software, further entrenching the attacker’s presence on the compromised system.

The Infection Chain: A Staged Approach

The infection process is a carefully orchestrated series of steps:

1. Initial Compromise: A malicious link or attachment, often disguised as a legitimate file or message, is sent via WhatsApp from a compromised account.
2. Dropper Execution: The victim downloads and executes a small, seemingly innocuous file (the dropper). This dropper is responsible for downloading the main Eternidade Stealer payload.
3. Payload Delivery: The dropper fetches the full Eternidade Stealer executable from a remote server.
4. Persistence and Data Exfiltration: Eternidade Stealer establishes persistence on the infected device, begins exfiltrating contact lists, and actively monitors for opportunities to steal financial credentials.
5. Secondary Malware Deployment: If configured, Eternidade Stealer can download and execute additional malicious modules, expanding its capabilities and potential for damage.

Remediation Actions and Proactive Defense

Defending against advanced threats like Eternidade Stealer requires a multi-layered approach focusing on user education, technical controls, and rapid response. While no specific CVE has been assigned directly to Eternidade Stealer itself (as it’s a malware family, not a software vulnerability), the underlying attack vectors often exploit human vulnerabilities.

Organizations and individuals must take proactive steps to mitigate their risk:

• User Education and Awareness: Train users to recognize and report suspicious messages, especially those originating from unexpected sources or containing unusual requests, even if they appear to come from known contacts. Emphasize the dangers of clicking unknown links or downloading attachments from unverified sources.
• Multi-Factor Authentication (MFA): Implement MFA for all online accounts, especially banking and social media. This significantly reduces the impact of stolen credentials.
• Keep Software Updated: Ensure operating systems, web browsers, and messaging applications (like WhatsApp) are always running the latest versions. Software updates often include security patches for known vulnerabilities that could be exploited in related attack chains.
• Antivirus and Endpoint Detection and Response (EDR): Deploy reputable antivirus software and EDR solutions on all endpoints. Regularly update their definitions and ensure they are active. These tools can help detect and block known malware like Eternidade Stealer.
• Backup Critical Data: Regularly back up important data to an external drive or cloud service. In the event of a successful malware attack, this allows for data recovery without paying a ransom.
• Verify Sender Identity: If a message seems suspicious, even if it’s from a known contact, verify the sender’s identity through an alternative communication channel (e.g., a phone call or a different messaging app) before clicking any links or opening attachments.
• Review App Permissions: Regularly review the permissions granted to installed applications on mobile devices. Restrict unnecessary permissions for messaging apps.

Detection and Analysis Tools

For IT professionals and security analysts, several tools can aid in detecting and analyzing such threats:

Tool Name	Purpose	Link
VirusTotal	File and URL analysis for known malware signatures	https://www.virustotal.com
Any.Run	Interactive sandbox for malware analysis	https://any.run
Ghidra	Software reverse engineering (SRE) suite for analyzing executables	https://ghidra-sre.org
Wireshark	Network protocol analyzer for detecting suspicious network traffic (C2 communication)	https://www.wireshark.org
YARA Rules	Pattern matching for identifying malware families	https://virustotal.github.io/yara/

Key Takeaways for Digital Security

The emergence of Eternidade Stealer highlights the evolving sophistication of cyber threats targeting widely used communication platforms. Its reliance on social engineering through compromised WhatsApp accounts underscores the critical importance of user vigilance and robust security practices. By understanding its multi-stage infection process, implementing strong defensive measures, and staying informed about new threats, individuals and organizations can significantly reduce their susceptibility to such attacks. Constant education and validation are paramount in an environment where trust is frequently weaponized.