Don't open that WhatsApp message, Microsoft warns
Foto: The Register
Cybercriminals can gain up to 100% control over a system and full access to private data by exploiting a new trust-based vulnerability in the WhatsApp messenger. Microsoft is warning of a campaign ongoing since February 2024, in which attackers send malicious Visual Basic Script (VBS) scripts disguised as installation files. The attack is exceptionally insidious as it is often initiated from compromised accounts of the victim's friends, drastically increasing the effectiveness of the social engineering. The infection mechanism relies on the "living off the land" technique – hackers utilize authentic Windows system tools, such as curl.exe or bitsadmin.exe, merely renaming them to deceive antivirus software. Once the script is executed, the malware downloads additional data from trusted clouds like AWS or Tencent Cloud, and subsequently modifies User Account Control (UAC) settings in pursuit of administrative privileges. The final step involves installing fake versions of popular programs, such as AnyDesk or WinRAR, which serve as a backdoor to the computer. For users worldwide, this necessitates extreme vigilance even regarding messages from known contacts. A key warning sign is the lack of a digital signature in MSI installers and unusual file extensions sent via messaging apps. In an era of such advanced multi-stage attacks, traditional security measures may fail if human defensive instincts falter.
In the world of cybersecurity, trust in well-known communication platforms is often the weakest link in the defense chain. Microsoft has just issued an urgent warning against a new, multi-stage campaign targeting WhatsApp users. Attackers are using the popular messenger to spread malicious Microsoft Installer (MSI) packages, which consequently allows them to take full control of infected machines and steal sensitive data.
The campaign, which began in late February, relies on the precise use of social engineering. Cybercriminals send messages containing infected Visual Basic Script (VBS) files. The manipulation mechanism is simple but effective: victims receive files from people who appear to be their known contacts — suggesting the takeover of previous WhatsApp sessions — or are subjected to time pressure through alarming message content, forcing the quick opening of an attachment.
Camouflage within the system, or Living off the Land
What sets this operation apart from others is the way the malware attempts to "disappear" within the operating system. After running the VBS script, the malware creates hidden folders in the C:\ProgramData location and places legitimate Windows tools there, giving them fake names. For example, the standard curl.exe tool is renamed to netapi.dll, and bitsadmin.exe to sc.exe.
Read also
This strategy, known in the industry as "living off the land", involves using authentic system components for malicious purposes, making it difficult for traditional network traffic monitoring systems to detect anomalies. However, as Microsoft researchers note, the attackers made a mistake. Despite renaming the files, they did not modify the PE (Portable Executable) metadata. The OriginalFileName field still points to the original names of the tools, allowing solutions like Microsoft Defender to instantly identify the discrepancy and block the process.
The cloud as a malicious code distribution server
The criminals showed great creativity in building their delivery infrastructure. Instead of using their own suspicious servers, they utilize trusted cloud services to download subsequent stages of the infection. Identified platforms include:
- AWS (Amazon Web Services)
- Tencent Cloud
- Backblaze B2
Additional scripts, such as auxs.vbs and 2009.vbs, are downloaded from these sources. The use of legitimate cloud infrastructure makes the network traffic generated by the malware look like standard corporate activity to IT administrators. Subsequently, the malware attempts to modify User Account Control (UAC) settings, aiming to run processes with elevated privileges, which ensures its persistence even after a computer restart.
Legitimate tools as the final payload
In the final phase of the attack, MSI installation packages are delivered to the disk. Surprisingly, these are not custom-made viruses, but modified versions of commonly used programs. Microsoft identified four main installers used in this campaign: Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi. The use of AnyDesk — a legitimate remote desktop tool — allows attackers to gain control over the system without raising suspicion from antivirus software, which only sees it as remote work.
"The use of well-known and trusted remote management tools allows criminals to hide in plain sight. However, the lack of a digital signature on these installers is a clear warning signal for defense systems," emphasize the experts from Redmond.
The end result is the attackers gaining full remote access. This allows for data theft, the deployment of ransomware, or the inclusion of the infected machine into a botnet used to conduct further large-scale attacks. Although Microsoft promotes its security solutions, the human factor remains a key element of protection.
Education more important than algorithms
The analysis of this campaign shows that technology, although advanced, still needs support in the form of an aware user. The most effective method of defense against social engineering attacks remains regular employee training. Microsoft recommends placing particular emphasis on recognizing suspicious attachments, even if they come from platforms considered private or secure, such as WhatsApp.
In the era of the professionalization of cybercrime, the line between private and professional communication is blurring, which criminal groups are eagerly exploiting. The scale and precision of the described attack suggest that in the near future, we will witness the increasingly frequent use of legitimate system tools and cloud services to mask malicious activity. Companies that do not invest in a security culture and do not teach their teams a critical approach to every file received will become the easiest targets for a new generation of digital burglars.
