A New Scam Campaign on WhatsApp Exploits Fake Business Documents to Install Remote Control Software on PCs
A new campaign of cyber attacks is targeting WhatsApp users through fraudulent messages that appear to come from trusted contacts.
According to analyses published by Kaspersky, attackers are leveraging previously compromised accounts to distribute harmful attachments disguised as work documents, invoices, financial statements, or administrative communications.
This malicious activity has been observed in several countries around the world, including Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia. The file names are adapted to local languages, a detail that confirms the international nature of the operation.
The attack begins with the sending of a heavily obfuscated VBScript file. When the victim downloads and executes the attachment on a Windows computer, the script initiates a series of automated operations that contact the attackers' infrastructure to retrieve additional components.
Subsequently, modifications are made to the system to reduce certain security protections, and an archive containing a copy of ManageEngine Endpoint Central is downloaded. This software is typically used by IT administrators to manage business devices and networks. However, in this case, the program is configured to connect to servers controlled by the attackers, allowing them remote access to the compromised computer.
Additional Details on this Series of Scams Occurring on WhatsApp
Experts highlight an important difference between WhatsApp platforms. Through WhatsApp Web, the file must be downloaded manually before execution, while in the desktop version, the system can directly open the script through Windows Script Host.
Analysts do not definitively attribute the campaign to a specific group. Some elements suggest links to infrastructures already associated with malware such as ValleyRAT and Gh0st RAT, and there have been indications of the use of the Chinese language, but the evidence gathered does not allow for definitive conclusions.
To reduce risks, users should be cautious of attachments received even from known contacts, always verify the legitimacy of files through alternative channels, and subject every download to an updated antivirus scan before executing it.