Investigation Sparked By Unusual PowerShell Activity
Ziv Mador described discovering the campaign after spotting an unusual PowerShell attempt in a client's environment that led to deeper investigation.
The probe uncovered a WhatsApp-distributed banking trojan and a Python-based worm that exfiltrated nearly a million contacts from ~10,000 infected clients.
insights INSIGHT
Language-Based Geofencing Increases Precision
The campaign focuses on Portuguese-language Windows systems to geofence Brazilian victims and reduce detection noise.
This targeting optimizes yield by limiting execution to communities where WhatsApp propagation and local banks make the trojan effective.
question_answer ANECDOTE
Personalized WhatsApp Lure And Dual Payloads
The infection chain uses personalized WhatsApp messages linking to a VBS file that runs on WhatsApp Web and downloads two payloads.
One payload is a Python worm that harvests contacts and sends further messages, and the other is the banking trojan that stays dormant until bank sites are accessed.
Get the Snipd Podcast app to discover more snips from this episode
Today we have Ziv Mador, VP of Security Research from LevelBlue SpiderLabs discussing their work on "SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp." Researchers at LevelBlue SpiderLabs have identified a new Brazilian banking Trojan dubbed Eternidade Stealer, spread through WhatsApp hijacking and social engineering campaigns that use a Python-based worm to steal contacts and distribute malicious MSI installers.
The Delphi-compiled malware targets Brazilian victims, profiles infected systems, dynamically retrieves its command-and-control server via IMAP email, and deploys banking overlays to harvest credentials from financial institutions and cryptocurrency platforms. The campaign reflects the continued evolution of Brazil’s cybercrime ecosystem, combining WhatsApp propagation, geofencing, encrypted C2 communications, and process injection to maintain stealth and persistence.
