Brazilian cybersecurity researchers from SpiderLabs have reported that a banking trojan, known as “Eternidade Stealer”, is being pushed, leveraging a combination of social engineering and WhatsApp hijacking to target financial data. The malware is geo-targeted; it checks if the device uses, Brazilian Portuguese language in the OS if not, it self-destructs.
WhatsApp worm + Eternidade Stealer
The attacker sends a file/links via WhatsApp, mostly via WhatsApp web, such as “fake government programs, delivery notifications,” messages from friends and fraudulent investment groups containing the python-based worm. Once someone opens the file/link, the worm infiltrates the device and delivers a Delphi-based banking trojan Eternidade Stealer. It runs in the background and scans for financial data and logins for a range of Brazilian banks and fintech or crypto exchanges and wallets. On the other hand, the worm continues to browse the active session and self-propagates to personal contacts and groups, thus rapidly duplicating. Another specific tactic of the malware is that it does not have a fixed server. It has a pre-set Gmail account to check the subject or body of the most recent email in that inbox, to retrieve command-and-control addresses.
“One notable feature of this malware is that it uses hardcoded credentials to log into its email account, from which it retrieves its C2 server. It is a very clever way to update its C2, maintain persistence, and evade detections or takedowns on a network level. If the malware cannot connect to the email account, it uses a hardcoded fallback C2 address,” read the report. Once installed, it can record keystrokes, take screenshots, and steal files.
Trend of cyber attacks in Brazil
The South American country has been targeted by several such attacks using the ubiquity of messaging vectors like WhatsApp. Earlier in September, another campaign dubbed Water Saci targeted Brazilians with a worm that propagates via WhatsApp Web known as SORVEPOTEL, which acts as a conduit for Maverick and Coyote, both .NET banking trojans. The campaign is reportedly ongoing and the worm continuously improves itself to target in ther region of Brazil and Argentina