WhatsApp worm spreads Python-based banking and crypto credential-stealing trojan in Brazil

A new WhatsApp-propagating worm is infecting devices in Brazil, delivering a banking trojan called Eternidade (Portuguese for Eternity) Stealer that steals credentials for cryptocurrency wallets and financial services.

According to the findings of Web3 security firm Trustwave SpiderLabs researchers Nathaniel Morales, John Basmayor and Nikita Kazymirskyi, the operation uses Internet Message Access Protocol to fetch command-and-control details on demand. The stolen data can help a threat actor to rotate servers and evade disruption as the malware spreads.

“It uses Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control (C2) addresses, allowing the threat actor to update its C2 server,” the security professionals wrote in the company’s blog page on Wednesday.

Investigators said the attackers abandoned older PowerShell scripts and are now deploying a Python-based approach to hijack WhatsApp and distribute malicious files. 

Eternidade stealer hides activity through VBScript

Per Trustwave SpiderLabs’ report, the attack begins with an obfuscated VBScript whose comments are mostly written in Portuguese.

The Python worm uses shorter, more agile code to automate WhatsApp activity to extract full contact lists using wppconnect libraries, customized greetings based on the time of day, and insert recipients’ names into messages containing malicious attachments.

A central function, named “obter_contatos,” enables the malware to steal the victim’s entire WhatsApp address book. For each contact, the worm collects the phone number and name to find out if the person is saved locally and has a device that can be breached. 

The data is transmitted to an attacker-controlled server through an HTTP POST request, where after collection, a worm sends a malicious attachment to every contact using a prebuilt message template.

MSI installer deploys localized banking trojan

The second stage of the attack starts once the MSI installer drops several components, including an AutoIt script that immediately checks if the device language is set to Brazilian Portuguese. 

In cases where the system does not meet this condition, the malware shuts down, which could mean the threat actors intend to target only users in Brazil.

When the locale check passes, the script scans running processes and registry keys for signs of security tools. It also profiles the device and sends system details back to the attackers’ command-and-control server.

The attack ends with the malware injecting the Eternidade Stealer payload into “svchost.exe” using a process that hides malicious code within legitimate Windows processes, known as “hollowing.”

Eternidade Stealer continuously monitors active windows and processes for strings related to financial services, including some of Brazil’s largest banks and international fintech platforms. 

Some of the financial firms mentioned by Trustwave include Santander, Banco do Brasil, BMG, Sicredi, Bradesco, BTG Pactual, MercadoPago, Stripe, alongside crypto companies Binance, Coinbase, MetaMask, and Trust Wallet.

Brazilian banking trojans are mostly dormant until the victim opens one of the financial applications. It then triggers overlays or credential-harvesting routines while completely invisible to casual users or automated security analysis tools.

Malware geofencing limits attacks to Brazilian WhatsApp users 

Trustwave SpiderLabs also shared panel stats, which revealed that the malware restricts access to systems outside Brazil and Argentina. Out of 454 recorded communication attempts, 452 were blocked due to geofencing rules. Only two connections were allowed and redirected to the real malicious domain, and blocked attempts were rerouted to a placeholder error page.

Of the failed connection attempts, 196 came from the United States, followed by the Netherlands, Germany, the UK, and France. Windows accounted for the largest share of attempted system connections with 115, though logs also included 94 connections on macOS, 45 on Linux, and 18 Android devices.

The discovery comes weeks after Trustwave found another operation dubbed “Water Saci” spreading through WhatsApp Web using a worm called SORVEPOTEL. That malware is a conduit for Maverick, a NET-based banking trojan that came from an earlier family known as Coyote, as Cryptopolitan reported last week.

Join a premium crypto trading community free for 30 days - normally $100/mo.