VTA-004539 – WhatsApp-Based Malware Spreads via Compromised Accounts in Brazil

A new malware campaign called Water Saci, with its main variant known as SORVEPOTEL, has been discovered spreading through WhatsApp Web. The attack begins when victims receive a ZIP file from one of their contacts, making it seem trustworthy. Once opened, a hidden shortcut file runs scripts that download and install the malware on the victim’s computer.

What makes this malware especially dangerous is its self-propagation. After infection, it hijacks the victim’s active WhatsApp Web session and automatically sends the same malicious ZIP file to all of their contacts and groups, allowing it to spread rapidly across trusted social circles. Beyond spreading itself, Water Saci also monitors users’ online activity, especially on banking and financial websites, where it displays fake login screens to steal credentials.

The malware drops various files, including PowerShell scripts, batch files, and .NET executables, and even uses browser automation tools like Selenium to control WhatsApp Web. It also employs geofencing, activating most of its features only on systems located in Brazil, and includes several evasion techniques to avoid analysis. Water Saci stands out for combining social engineering and automation, using personal trust between WhatsApp contacts as its main weapon for infection and spread.

Severity:
Medium

Attack Surface:
Email, Endpoint, Endpoint OS, File Storage, File Transfer, Infrastructure, Messaging, Online Fraud, Web Application, Web Browser

Techniques:
T1566 – Initial Access
T1204 / T1204.002 – User Execution
T1059.001 – PowerShell
T1105 / T1071.001 – Ingress Tool Transfer / C2 over HTTPS
T1547.001 – Boot or Logon Autostart Execution
T1055 – Process Injection
T1078 – Valid Accounts
T1027 / T1497 – Obfuscation / Anti-analysis checks

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/68e74b95bb900498c3369dd5

References:
1. https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html

SuperPRO’s Threat Countermeasures Procedures:
1. Block known malicious domains such as sorvetenopoate.com, zapgrande.com and adoblesecuryt.com at the firewall or proxy level.
2. Advise users not to open unexpected ZIP or LNK attachments, even if sent by trusted contacts.
3. Disable PowerShell execution for non-administrative users or apply Constrained Language Mode.
4. Monitor for persistence artifacts such as HealthApp-*.bat within startup folders.
5. Update endpoint protection tools to include the latest Trend Micro detections for Water Saci / SORVEPOTEL.
6. Restrict personal messaging applications like WhatsApp Web on corporate networks to minimize lateral spread.

Contributed by: Thivya