Moneycontrol PRO

HomeNewsPhotogallery

<strong>Python Malware Campaign Hits WhatsApp Users in Brazil</strong><br />A new cybercrime campaign is exploiting WhatsApp to distribute the Eternidade Stealer trojan across Brazil. The operation uses aggressive social engineering and automated message forwarding to capture financial and personal information from unsuspecting users.

Python Malware Campaign Hits WhatsApp Users in Brazil
A new cybercrime campaign is exploiting WhatsApp to distribute the Eternidade Stealer trojan across Brazil. The operation uses aggressive social engineering and automated message forwarding to capture financial and personal information from unsuspecting users.

Why WhatsApp Is a Major Target in Brazil<br />Brazil is one of WhatsApp’s largest markets, making it fertile ground for large scale attacks. The reliance on the platform for daily communication gives attackers access to extensive networks, enabling fast propagation of malicious files.

Why WhatsApp Is a Major Target in Brazil
Brazil is one of WhatsApp’s largest markets, making it fertile ground for large scale attacks. The reliance on the platform for daily communication gives attackers access to extensive networks, enabling fast propagation of malicious files.

How the Infection Starts<br />Researchers at Trustwave SpiderLabs discovered that the operation begins with an obfuscated Visual Basic Script. This script deploys two separate components. One is a Python written WhatsApp worm. The other is an MSI installer that delivers the Delphi based Eternidade Stealer payload.

How the Infection Starts
Researchers at Trustwave SpiderLabs discovered that the operation begins with an obfuscated Visual Basic Script. This script deploys two separate components. One is a Python written WhatsApp worm. The other is an MSI installer that delivers the Delphi based Eternidade Stealer payload.

Python Worm Hijacks WhatsApp Web Sessions<br />The Python module abuses the open source WPPConnect tool to take control of WhatsApp Web sessions. Once active, it extracts the victim’s contact list and filters out business accounts and large groups to avoid raising suspicion.

Python Worm Hijacks WhatsApp Web Sessions
The Python module abuses the open source WPPConnect tool to take control of WhatsApp Web sessions. Once active, it extracts the victim’s contact list and filters out business accounts and large groups to avoid raising suspicion.

Auto Messaging Tactics Increase Reach<br />The malware automatically pushes malicious attachments to every contact. To appear genuine, it uses personalised greetings and time dependent messages, making recipients more likely to open the infected file.

Auto Messaging Tactics Increase Reach
The malware automatically pushes malicious attachments to every contact. To appear genuine, it uses personalised greetings and time dependent messages, making recipients more likely to open the infected file.

Evasion Tactics Used by Attackers<br />Trustwave researchers found that the stealer relies on IMAP to pull updated command and control server details from a terra.com.br inbox. By doing this, the operators can change their infrastructure on the fly and avoid takedowns, similar to techniques seen in the Water Saci campaign.

Evasion Tactics Used by Attackers
Trustwave researchers found that the stealer relies on IMAP to pull updated command and control server details from a terra.com.br inbox. By doing this, the operators can change their infrastructure on the fly and avoid takedowns, similar to techniques seen in the Water Saci campaign.

Designed to Target Only Local Users<br />The malware checks the operating system language before running. If the system is not set to Brazilian Portuguese, the stealer exits. This confirms that the threat actors designed the malware to attack Brazilian users while staying under the radar internationally.

Designed to Target Only Local Users
The malware checks the operating system language before running. If the system is not set to Brazilian Portuguese, the stealer exits. This confirms that the threat actors designed the malware to attack Brazilian users while staying under the radar internationally.

Financial Platforms in the Crosshairs<br />Once the payload is active, it watches for access to banking and payment platforms such as Bradesco, BTG Pactual, MercadoPago, Binance and MetaMask. When it detects a target platform, it overlays fake windows to harvest usernames, passwords and sensitive financial data.

Financial Platforms in the Crosshairs
Once the payload is active, it watches for access to banking and payment platforms such as Bradesco, BTG Pactual, MercadoPago, Binance and MetaMask. When it detects a target platform, it overlays fake windows to harvest usernames, passwords and sensitive financial data.

Regional Focus With Global Touchpoints<br />Despite the strict regional targeting, Trustwave identified more than four hundred and fifty connection attempts from nearly forty countries. The United States alone accounted for one hundred and ninety six attempts to interact with the threat actor’s servers.

Regional Focus With Global Touchpoints
Despite the strict regional targeting, Trustwave identified more than four hundred and fifty connection attempts from nearly forty countries. The United States alone accounted for one hundred and ninety six attempts to interact with the threat actor’s servers.

Geofencing as a Control Strategy<br />The infrastructure uses geofencing to permit only Brazilian and Argentine traffic. Any blocked request is rerouted to a generic Google error page. This suggests the attackers want to maintain a controlled operational environment while avoiding unwanted scrutiny.

Geofencing as a Control Strategy
The infrastructure uses geofencing to permit only Brazilian and Argentine traffic. Any blocked request is rerouted to a generic Google error page. This suggests the attackers want to maintain a controlled operational environment while avoiding unwanted scrutiny.

<strong>Python Malware Campaign Hits WhatsApp Users in Brazil</strong><br />A new cybercrime campaign is exploiting WhatsApp to distribute the Eternidade Stealer trojan across Brazil. The operation uses aggressive social engineering and automated message forwarding to capture financial and personal information from unsuspecting users.

Why WhatsApp Is a Major Target in Brazil<br />Brazil is one of WhatsApp’s largest markets, making it fertile ground for large scale attacks. The reliance on the platform for daily communication gives attackers access to extensive networks, enabling fast propagation of malicious files.

How the Infection Starts<br />Researchers at Trustwave SpiderLabs discovered that the operation begins with an obfuscated Visual Basic Script. This script deploys two separate components. One is a Python written WhatsApp worm. The other is an MSI installer that delivers the Delphi based Eternidade Stealer payload.

Python Worm Hijacks WhatsApp Web Sessions<br />The Python module abuses the open source WPPConnect tool to take control of WhatsApp Web sessions. Once active, it extracts the victim’s contact list and filters out business accounts and large groups to avoid raising suspicion.

Auto Messaging Tactics Increase Reach<br />The malware automatically pushes malicious attachments to every contact. To appear genuine, it uses personalised greetings and time dependent messages, making recipients more likely to open the infected file.

Evasion Tactics Used by Attackers<br />Trustwave researchers found that the stealer relies on IMAP to pull updated command and control server details from a terra.com.br inbox. By doing this, the operators can change their infrastructure on the fly and avoid takedowns, similar to techniques seen in the Water Saci campaign.

Designed to Target Only Local Users<br />The malware checks the operating system language before running. If the system is not set to Brazilian Portuguese, the stealer exits. This confirms that the threat actors designed the malware to attack Brazilian users while staying under the radar internationally.

Financial Platforms in the Crosshairs<br />Once the payload is active, it watches for access to banking and payment platforms such as Bradesco, BTG Pactual, MercadoPago, Binance and MetaMask. When it detects a target platform, it overlays fake windows to harvest usernames, passwords and sensitive financial data.

Regional Focus With Global Touchpoints<br />Despite the strict regional targeting, Trustwave identified more than four hundred and fifty connection attempts from nearly forty countries. The United States alone accounted for one hundred and ninety six attempts to interact with the threat actor’s servers.

Geofencing as a Control Strategy<br />The infrastructure uses geofencing to permit only Brazilian and Argentine traffic. Any blocked request is rerouted to a generic Google error page. This suggests the attackers want to maintain a controlled operational environment while avoiding unwanted scrutiny.

Advisory Alert: It has come to our attention that certain individuals are representing themselves as affiliates of Moneycontrol and soliciting funds on the false promise of assured returns on their investments. We wish to reiterate that Moneycontrol does not solicit funds from investors and neither does it promise any assured returns. In case you are approached by anyone making such claims, please write to us at grievanceofficer@nw18.com or call on 02268882347