Received invoice on WhatsApp? It may be malware
What's the story
The Indian Computer Emergency Response Team (CERT-In) has issued a cybersecurity alert regarding a new malware campaign. The attack is being propagated through WhatsApp by using fake invoices, bank statements, and other business-related documents. CERT-In has warned users against opening suspicious attachments, even if they are from known contacts. The campaign mainly targets WhatsApp Desktop and Web users.
Account compromise
Cybercriminals hijacking legitimate WhatsApp accounts
According to CERT-In, cybercriminals are hijacking legitimate WhatsApp accounts to distribute malicious attachments. These attachments are disguised as common business documents with names like invoices, payment records, bank statements, account statements, debt notices, and acknowledgement receipts. The filenames have been localized in several languages including English, Portuguese, French, German, and Malay. This suggests that the campaign has a wide reach across different regions.
Deceptive tactics
Malicious scripts disguised as Windows update components
The malicious scripts in this campaign are designed to look like legitimate Microsoft Windows Update components. They contain comments and metadata that further disguise their true nature. When a user opens an infected VBScript file, it triggers a series of actions on their Windows computer, including creating a working directory under the Public Documents folder and downloading additional scripts from attacker-controlled infrastructure.
Remote control
Potential impact of successful attack
The malware from the initial VBScript file downloads and extracts a compressed archive before installing a Remote Monitoring and Management (RMM) package. This gives attackers remote access to the compromised device. CERT-In has warned that a successful attack could lead to unauthorized remote access, credential theft, deployment of additional malware, data exfiltration, lateral movement within organizational networks, and business disruption potentially leading to financial losses.
Safety measures
CERT-In's recommendations for users
CERT-In has advised users not to open unexpected attachments received through WhatsApp, especially those with .vbs extensions or claiming to be invoices/bank statements. Users should verify the authenticity of such files with the sender through another communication channel before opening them. The agency also recommends keeping Windows systems and antivirus software up-to-date, enabling endpoint protection, and educating users about phishing/social engineering attacks.