An ongoing malware campaign appears to be hitting WhatsApp users in multiple countries. Cybersecurity firm Kaspersky found that a crimeware actor uses WhatsApp accounts to distribute malicious attachments. The issue has affected users across multiple countries, with the highest number of victims found in Malaysia. Kaspersky researchers state that attackers are using WhatsApp accounts which have been previously compromised to deliver malicious attachments that appear to originate from known contacts. The file names are designed to resemble business documents.
Kaspersky Warns of WhatsApp Malware Campaign
Kaspersky Global Research and Analysis Team (GReAT) discovered a malware distribution campaign targeting users of WhatsApp Desktop and WhatsApp Web. Attackers are targeting users through malicious file attachments sent via direct messages. Kaspersky states that the campaign uses compromised WhatsApp accounts to distribute malicious VBScript files.
The report includes screenshots of WhatsApp messages containing the malicious VBScript file. They show that the attackers have named the malicious files to resemble business documents, and the discovered files are named invoices, bank statements, account statements and debt notices.
“Once opened, they trigger a staged infection chain that silently retrieves and executes additional malicious components from external infrastructure,” said Fareed Radzi, security researcher at Kaspersky GReAT.
Kaspersky Researchers note that File names are in English and other languages, including Portuguese, French, German, and Malay. The VBScript samples also said to include extensive comments and metadata designed to imitate genuine Microsoft Windows Update components. The cybersecurity firm claims that Victims have been identified from countries including Malaysia, Brazil, Singapore, Taiwan, and Vietnam. Malaysia accounts for the highest number of observed infections. The operation appears to be targeting users in Europe and other regions.
When an affected user opens the file, it triggers a scripted sequence on the device. The initial script creates a working directory under C:\Users\Public\Documents\, then retrieves additional script files from external infrastructure and executes them using Windows Script Host. The malware enables remote access to the system through standard administrative capabilities intended for legitimate IT support and management use.
Kaspersky advises users to remain cautious when receiving unexpected attachments through WhatsApp, even when they are coming from known contacts. Users have to be cautious when opening script and executable file types, such as .vbs, .vbe, .exe, .bat, .cmd, .js, and .ps1, unless their legitimacy has been independently verified. Kaspersky also recommended using a strong security solution on all computers and mobile devices.
