Ddos 
The notorious Brazilian banking malware Astaroth has evolved again, this time turning one of the world’s most popular messaging platforms into a weapon. In a new campaign dubbed “Boto Cor-de-Rosa”, researchers from the Acronis Threat Research Unit have discovered that the malware is now exploiting WhatsApp Web to spread itself, automating malicious messages to victims’ contact lists.
This shift marks a disturbing “evolution of banking malware,” moving beyond traditional email lures to exploit the trust inherent in personal messaging.
While Astaroth has plagued Brazilian users for years, this latest iteration introduces a Python-based worm module designed specifically for WhatsApp. The infection begins when a user receives a malicious ZIP archive via the messaging app.
“The file name varies per infection but consistently follows a pattern of digits and hexadecimal characters separated by underscores and dashes,” the report notes, citing examples like 552_516107-a9af16a8-552.zip.
Once the victim extracts the file and executes the disguised Visual Basic script inside, the malware takes root. But instead of just stealing credentials, it turns the infected machine into a spambot.
The new module’s primary goal is propagation. It hijacks the victim’s WhatsApp Web session to retrieve their contact list and “automatically sends malicious messages to each contact to further spread the infection”.
The malware is methodical. It periodically logs statistics to its operators, tracking “the number of messages successfully delivered, the number of failed attempts, and the sending rate measured in messages per minute”.
It even calculates its own efficiency. “After every 50 messages, the script calculates the percentage of contacts processed and the current throughput,” ensuring the attackers have a real-time view of their viral reach.
The attack isn’t limited to spreading malware; it’s also a privacy breach. The report reveals that the component “exfiltrates the victim’s contact list to a remote server,” giving the attackers a database of valid phone numbers for future campaigns.
Technically, Astaroth remains a “multilanguage modular” threat. The core payload is still written in Delphi, and the installer uses Visual Basic, but the new WhatsApp worm is implemented entirely in Python.
This mix of technologies highlights how threat actors are adapting. “Astaroth’s integration of messaging-based propagation with financial credential theft represents a concerning trend in malware evolution,” the researchers warn . By blending technical innovation with the “psychological manipulation” of receiving a file from a known contact, the attackers significantly increase their success rate.
This campaign serves as a critical reminder that trust on social platforms can be weaponized. “This campaign underscores the importance of user vigilance, particularly when receiving unsolicited files through messaging platforms,” the report concludes.
Organizations and individuals alike must look beyond email security and recognize that the next major threat might arrive in a chat window from a friend.
Related Posts:
- Astaroth Malware Uses Steganography in GitHub Images for Covert C2 Backup and Brazilian Bank Theft
- Sophisticated WhatsApp Worm Uses Fake “View Once” Lure to Hijack Sessions and Deploy Astaroth Banking Trojan
- Astaroth Phishing Kit Bypasses 2FA, Steals Accounts
- Threat Actors Weaponize Google Cloud Run for Global Payload Delivery
- “Water Makara” Employs Astaroth Malware in Targeted Attacks on Brazilian Organizations
Donate