New Malware Campaign Exploits WhatsApp Web to Spread Banking Trojan
WASHINGTON, D.C. — A sophisticated new malware campaign is leveraging WhatsApp Web to automatically spread a banking Trojan, exploiting trusted contacts to infiltrate Windows users’ systems. Security researchers have identified the campaign, dubbed Boto Cor-de-Rosa, which uses self-propagating ZIP files to deliver the Astaroth banking malware and silently compromise victims’ devices.
The attack begins with a seemingly innocuous ZIP file sent via WhatsApp messages from contacts already in the victim’s network. These files bear random, benign-looking names to avoid suspicion. Once opened, the ZIP contains a Visual Basic script masquerading as a normal document. If executed, the script quietly downloads two additional malware components: the Astaroth banking Trojan, written in Delphi, and a Python-based module that controls WhatsApp Web.
This Python module is critical to the malware’s rapid spread. It scans the victim’s WhatsApp contacts and automatically sends the infected ZIP file to every conversation, using adaptive messaging that changes according to the time of day. The messages often include friendly greetings and phrases such as “Here is the requested file,” making the communication appear authentic and increasing the likelihood of recipients opening the malicious attachment.
Researchers at cybersecurity firm Acronis have tracked the campaign’s delivery success, noting how the infection becomes self-sustaining once it takes hold. Because the malware operates in the background without obvious signs, many users remain unaware of the breach, allowing the Trojan to harvest sensitive banking information and potentially cause significant financial harm.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts emphasizing the need for vigilance when opening files received through messaging platforms, especially those that come unexpectedly or from contacts whose accounts may have been compromised. The campaign highlights the evolving tactics cybercriminals employ by abusing widely trusted communication tools such as WhatsApp Web.
WhatsApp, owned by Meta Platforms, Inc., remains a popular messaging platform worldwide, with millions relying on its web interface for convenient access. However, as this incident demonstrates, the platform’s integration with browsers can be exploited to facilitate malware propagation.
Experts urge users to ensure their operating systems and antivirus software are up to date and to exercise caution when interacting with unsolicited files, even from familiar contacts. The Federal Bureau of Investigation continues to investigate the campaign and recommends reporting suspicious activity promptly.
As cyber threats grow increasingly complex, the Department of Homeland Security (DHS Cybersecurity Division) stresses the importance of multi-layered defenses and user education to mitigate risks posed by malware campaigns like Boto Cor-de-Rosa. This incident serves as a stark reminder that trusted communication channels can be weaponized, underscoring the need for constant vigilance in the digital age.
Leave a Reply