Brazilian Crypto Users Alert: WhatsApp Worm & Trojan Attack

Brazilian Crypto Users Beware: WhatsApp Worm Threat

Cryptocurrency holders in Brazil are urged to exercise extreme caution due to a sophisticated hacking campaign involving a hijacking worm and a banking trojan being spread through WhatsApp messages. According to a new report from Trustwave’s SpiderLabs cybersecurity research team, the banking trojan, dubbed “Eternidade Stealer,” is being disseminated via social engineering tactics on WhatsApp, including “fake government programs, delivery notifications,” messages from compromised contacts, and fraudulent investment schemes.

SpiderLabs researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi stated, “WhatsApp remains one of the most exploited communication channels in Brazil’s cybercrime landscape. Over the past two years, malicious actors have refined their tactics, leveraging the platform's widespread popularity to distribute banking trojans and information-stealing malware.”

How the Worm and Trojan Operate

In simple terms, clicking the worm link in WhatsApp triggers a chain reaction, infecting the victim with both the worm and the banking trojan. The worm hijacks the user's account and retrieves their contact list. It then employs “smart filtering” to ignore business contacts and groups, focusing on individual contacts for a more streamlined operation.

Simultaneously, the banking trojan, a file automatically downloaded onto the victim's device, deploys the Eternidade Stealer in the background. This trojan scans for financial data and login credentials for a range of Brazilian banks, fintech companies, and cryptocurrency exchanges and wallets.

Evading Detection

The malware employs a clever method to avoid detection or takedown. Instead of relying on a fixed server address, it uses a pre-set Gmail account to check for new commands via email. This allows the hackers to alter commands by sending new emails.

“A notable feature of this malware is its use of hardcoded credentials to log into its email account, from which it fetches its C2 server. This represents a remarkably intelligent approach to updating its C2, maintaining persistence, and avoiding network-level detection or takedowns. If the malware fails to connect to the email account, it resorts to a hardcoded fallback C2 address,” the report detailed.

Staying Safe

Users of apps like WhatsApp are advised to be wary of any links sent to them, even if from a trusted contact. A useful strategy is to verify the link's legitimacy with the sender through a separate communication channel. Be especially suspicious of links sent unexpectedly with limited context.

Keeping software up-to-date can also help protect against vulnerabilities targeted by older versions, and anti-virus software can potentially flag suspicious activity.

If a user suspects their account has been compromised, it is crucial to immediately freeze all potential access points to banking and crypto services to mitigate losses. Tracking fund movements can also assist exchanges, researchers, or authorities in tracing the flow of stolen assets, potentially enabling them to freeze hacker-controlled wallets.