- Kaspersky warns of a WhatsApp phishing campaign that spreads malicious VBScript files disguised as business documents
- Running them installs ManageEngine Endpoint Central, giving attackers remote access; filenames localized increased global reach
- Victims span Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia, Vietnam and Malaysia; compromise method remains unknown
WhatsApp users beware – there is a phishing campaign underway on the platform that seeks to infect your devices with a legitimate but unsolicited endpoint security platform.
Security researchers Kaspersky recently published a new report detailing a campaign that starts with a compromised WhatsApp account. They could not determine how these accounts were breached, but found that they were used to reach out to victims’ contacts and share a VBScript file that was passed off as business or financial documents.
People who don’t find it strange that their contacts suddenly share business documents and end up running them will get ManageEngine’s Endpoint Central, a unified endpoint management (UEM) and endpoint security platform built to help IT teams manage a fleet of desktops, laptops, servers, mobile devices and other endpoints, all from a single console.
Two scripts, one malware
In this case, however, they wouldn’t be managing anything – they’d just be giving remote system access to the attackers. Kaspersky says the campaign is quite widespread, with victims located in Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam and Malaysia.
One of the reasons the campaign was so successful internationally is that the filenames are localized in multiple languages, Kaspersky added.
“Based on evidence collected from multiple victims through social media reports and submitted samples, we can conclude that the threat actor had gained access to several WhatsApp accounts and used them to distribute the malicious VBScript files to contacts in the compromised users’ contact lists,” Kaspersky researchers said.
“At the time of writing, the exact method used to compromise these WhatsApp accounts is unknown.”
Downloading and running the malicious files on Windows results in the deployment of two scripts that first disable UAC protection and then deploy UEM. Kaspersky also emphasized that when users open WhatsApp on the web, they must first download the files, but when they open the desktop client, the files can be executed directly via the Windows Script Host.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
