Microsoft · Meta · Russia · The Register
Don't open that WhatsApp message, Microsoft flags
Compiled by KHAO Editorial — aggregated from 1 outlet. See llms.txt for citation guidance.
◌ Single Source
The campaign began in late February, they're told, and the attack chain starts with a WhatsApp message that delivers malicious Visual Basic Script (VBS) files.
Key facts
- The crims use the renamed binaries to download secondary VBS payloads (auxs.vbs, 2009.vbs) from trusted cloud services including AWS, Tencent Cloud, and Backblaze B2
- The campaign began in late February, they're told, and the attack chain starts with a WhatsApp message that delivers malicious Visual Basic Script (VBS) files
- A WhatsApp spokesperson declined to answer The Register’s specific questions about this campaign
- Additionally, for users at higher-risk of targeted attacks, the messaging app has rolled out Strict Account Settings
Summary
But somehow the attacker tricks the message recipient into executing the malicious file on their system. Once it's executed, the malicious script creates hidden folders in C:\ProgramData and drops renamed versions of legitimate Windows utilities - for example, curl.exe renamed as netapi.dll and bitsadmin.exe as sc.exe. Using legitimate Windows tools for evil purposes allows attackers to blend in with normal network activity - defenders call this " living off the land " - but the miscreants did make a mistake in renaming these binaries. "Notably, these renamed binaries retain their original PE (Portable Executable) metadata, including the OriginalFileName field which still identifies them as curl.exe and bitsadmin.exe," Microsoft's researchers wrote in a Tuesday blog.