350% or 5BTC + 150 Spins!
New players only. Exclusive Welcome Bonus of 350% + 150 Free Spins
Cybersecurity researchers are warning about a malware campaign that hijacks WhatsApp Web sessions to steal banking credentials and spread malicious files.
The attack relies on a banking trojan that infects Windows computers after users open malicious ZIP files sent through WhatsApp messages.
Good to Know
Researchers found that victims receive WhatsApp messages containing ZIP files. Once opened, the files trigger a script that downloads the main malware payload.
The malware then takes control of the WhatsApp Web session running on the infected computer. It does not breach WhatsApp servers. Instead, it abuses the active web session to harvest contacts and send malicious files to other users automatically.
The payload runs two modules at the same time. One functions as a traditional banking trojan that steals login credentials from banking websites. The second turns the infected computer into a self spreading worm that continues distributing malicious files through WhatsApp Web.
The malware is written in Delphi and operates quietly in the background once installed.
Acronis Threat Research Unit named the malware Boto Cor de Rosa. Researchers said the campaign currently targets users in Brazil.
Attackers use Portuguese language messages tailored to local users, including greetings such as “Bom dia,” to increase the chance of engagement and file downloads.
Researchers advise users to avoid opening attachments from unknown or unexpected contacts. Enabling multi factor authentication on banking and messaging accounts can reduce the risk of account takeover if credentials are stolen.