Brazilian Banking Trojan Uses Python WhatsApp Worm and IMAP C2 for In-Memory Credential Theft

A massive, fast-spreading phishing and malware operation is hitting Brazil, leveraging WhatsApp Web session hijacking, Python-based automation, and an advanced in-memory banking trojan, according to a new analysis from K7 Labs.

K7 Labs reports that the campaign—linked to the broader Water-Saci operations—was first identified “from a tweet about a massive phishing campaign going on against Brazil, spreading the malware via WhatsApp web from the victim’s machine to their contacts by using the open source WhatsApp automation script from Github and also loading a banking trojan into memory.”

This new variant combines multiple scripting languages, anti-analysis techniques, and selective banking targeting to maximize stealth and impact.

The attack begins with a carefully crafted phishing email containing a ZIP archive. Inside is a malicious VBS script heavily obfuscated using character-encoding tricks.

K7 Labs explains that the script “leverages charcode and XOR encoding techniques to evade the Sign based detections.”

Once deobfuscated, the VBS downloader retrieves two components:

A malicious MSI installer
A second-stage VBS script

Both are executed immediately on the compromised machine.

The secondary VBS script sets the stage for one of the campaign’s most innovative components:
a Python-powered WhatsApp Web spam bot.

According to K7 Labs, the script “drops a .bat script which downloads and installs Python.zip, ChromeDriver.exe and PIP… and executed a Python script whats.py.”

The whats.py script:

Steals browser session artifacts (cookies, Local Storage, IndexedDB)
Recreates the user’s existing WhatsApp Web session
Injects a malicious helper JavaScript file
Sends malware-laden messages directly to a victim’s contacts

Once active, the injected script uses undocumented WhatsApp Web APIs such as:

WPP.contact.list()
WPP.chat.sendTextMessage()
WPP.chat.sendFileMessage()

It harvests all contacts and filters out business accounts, groups, and specific number patterns.

K7 Labs writes that WhatsApp automation is used “to send a greeting message, then the payload file, and then the final message” to each victim’s contacts.

All harvested contact data and delivery success logs are POSTed to an attacker-controlled PHP server.

Parallel to the WhatsApp worm activity, the MSI installs another set of components:

An AutoIt loader
Encrypted payload files (.tda and .dmp)
Additional scripts for persistence

The AutoIt loader is highly active and stealthy. It:

Monitors active windows in real-time
Searches for Brazilian banking or crypto apps
Sends extensive system info to the attacker
Loads the banking trojan entirely in memory

K7 Labs confirmed: “System information like Computer name, OS info, Username, Local IP, External IP, AntiVirus products… are sent to the attacker’s server.”

The script also identifies dozens of AV products and security tools used by financial institutions across Brazil.

When a victim opens a targeted banking or crypto application, the loader decrypts and decompresses the banking trojan payload using Windows APIs.

After reflective loading, the trojan injects itself into svchost.exe and begins credential theft when banking sessions are active.

Targets include major Brazilian firms such as:

Itaú
Bradesco
Caixa
Santander
Banco do Brasil
Mercado Pago
Binance
Coinbase

The in-memory trojan transmits stolen credentials and session data using covert email-based C2. As K7 Labs notes, “It sends info to the attacker’s server using IMAP over TCP once AutoIt finds active windows.” This method hides malicious traffic inside standard email protocols, further evading monitoring systems.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply