Brazilian crypto holders are being warned about a sophisticated hacking campaign that involves a hijacking worm and a banking trojan distributed through WhatsApp messages.
A new report from Trustwave’s cybersecurity research team, SpiderLabs, details how the banking trojan, identified as “Eternidade Stealer,” is being disseminated via social engineering tactics on messaging applications like WhatsApp. The malicious messages often masquerade as fake government programs, delivery notifications, messages from friends, or fraudulent investment groups.
"WhatsApp continues to be one of the most exploited communication channels in Brazil’s cybercrime ecosystem. Over the past two years, threat actors have refined their tactics, using the platform’s immense popularity to distribute banker trojans and information-stealing malware," stated Spiderlabs researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi.
The process begins when a victim clicks on a malicious link within a WhatsApp message. This action triggers a chain reaction, infecting the user’s device with both the worm and the banking trojan.
The worm component hijacks the user's WhatsApp account and systematically obtains their contact list. It employs "smart filtering" to bypass business contacts and groups, focusing instead on individual contacts for a more efficient propagation process.
Concurrently, the banking trojan is automatically downloaded onto the victim's device. This trojan operates in the background, deploying the Eternidade Stealer. The stealer is designed to scan for financial data and login credentials for a wide array of Brazilian banks, fintech services, crypto exchanges, and digital wallets.
The malware also features a sophisticated mechanism to evade detection and disruption. Instead of relying on a fixed server address, it uses a pre-configured Gmail account to receive new commands via email. This allows the attackers to update their instructions remotely by simply sending new emails, thereby maintaining persistence and evading network-level detections or takedowns.
"One notable feature of this malware is that it uses hardcoded credentials to log into its email account, from which it retrieves its C2 server. It is a very clever way to update its C2, maintain persistence, and evade detections or takedowns on a network level. If the malware cannot connect to the email account, it uses a hardcoded fallback C2 address," the report explains.
How to Stay Safe
Users of messaging applications like WhatsApp are strongly advised to exercise extreme caution with any links they receive, even if they originate from a known contact.
A practical safety measure is to verify suspicious links by contacting the sender through a separate communication channel to confirm the legitimacy of the link. It is also prudent to be wary of links that arrive unexpectedly and lack sufficient context.
Maintaining up-to-date software on devices is crucial, as it can help protect against vulnerabilities that target older versions. Additionally, installing and regularly updating anti-virus software can assist in flagging potential threats.
In the event of a suspected hack, it is imperative to immediately freeze all potential access points to banking and cryptocurrency services to prevent further unauthorized transactions. Tracking the movement of funds can also aid exchanges, researchers, and authorities in tracing the stolen assets and potentially freezing the hackers' wallets.