- Kaspersky warns of a WhatsApp phishing campaign that spreads malicious VBScript files disguised as business documents
- Running them installs ManageEngine Endpoint Central, giving attackers remote access; Localized file names global scope driven
- The victims include Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam and Malaysia; compromise method remains unknown
WhatsApp users should be careful: there is a phishing campaign underway on the platform that seeks to infect your devices with a legitimate, but unsolicited, endpoint security platform.
Security researchers Kaspersky recently published a new report detailing a campaign that begins with a compromised WhatsApp account. They were unable to determine how these accounts were breached, but discovered that they were being used to reach victims’ contacts and share a VBScript file disguised as business or financial documents.
People who don’t find it strange that their contacts suddenly share business documents and end up running them will get ManageEngine’s Endpoint Central, a unified endpoint management (UEM) and endpoint security platform built to help IT teams manage a fleet of desktops, laptops, servers, mobile devices, and other endpoints, all from a single console.
Two scripts, one malware
In this case, however, they would not be managing anything: they would simply grant remote access to the system to the attackers. Kaspersky says the campaign is quite widespread, with victims located in Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam and Malaysia.
One of the reasons the campaign was so successful internationally is because the file names are translated into several languages, Kaspersky added.
“Based on evidence collected from multiple victims through social media reports and submitted samples, we can conclude that the threat actor gained access to multiple WhatsApp accounts and used them to distribute malicious VBScript files to contacts in the compromised users’ contact lists,” Kaspersky researchers said.
“At the time of writing, the exact method used to compromise these WhatsApp accounts is still unknown.”
Downloading and executing malicious files on Windows results in the deployment of two scripts that first disable UAC protections and then implement UEM. Kaspersky also emphasized that when users open WhatsApp on the web, they must first download the files, but when they open the desktop client, the files can be executed directly through Windows Script Host.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
