New WhatsApp phishing campaign allows for remote access from a single business document

News
By published

WhatsApp users are getting shady documents from their contacts

WhatsApp on smartphone in a hand
(Image credit: Anton/Pexels)
  • Kaspersky warns of a WhatsApp phishing campaign spreading malicious VBScript files disguised as business documents
  • Running them installs ManageEngine Endpoint Central, giving attackers remote access; filenames localized boosted global reach
  • Victims span Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia; compromise method remains unknown

WhatsApp users beware - there is a phishing campaign ongoing on the platform, seeking to infect your devices with a legitimate, but unsolicited endpoint security platform.

Security researchers Kaspersky recently published a new report detailing a campaign that starts with a compromised WhatsApp account. They could not determine how these accounts got breached but found that they were being used to reach out to the victims’ contacts and share a VBScript file masquerading as business or financial documents.

People who don’t find it strange that their contacts are suddenly sharing business documents, and end up running them, will get ManageEngine’s Endpoint Central, a unified endpoint management (UEM) and endpoint security platform built to help IT teams manage a fleet of desktops, laptops, servers, mobile devices, and other endpoints, all from a single console.

Latest Videos From

Two scripts, one malware

In this case, however, they wouldn’t be managing anything - they would just be granting remote system access to the attackers. Kaspersky says that the campaign is rather widespread, with victims located across Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia.

One of the reasons the campaign was so successful on an international level is because the filenames are localized in multiple languages, Kaspersky added.

“Based on evidence collected from multiple victims through social media reports and submitted samples, we can conclude that the threat actor had gained access to several WhatsApp accounts and used them to distribute the malicious VBScript files to contacts on the compromised users’ contact lists,” Kaspersky’s researchers said.

“At the time of writing, the exact method used to compromise these WhatsApp accounts remains unknown.”

Downloading and running the malicious files on Windows result in the deployment of two scripts that first disable UAC protections and then deploy the UEM. Kaspersky also stressed that when users open WhatsApp on the web, they must first download the files, but when they open the desktop client, the files can be executed directly via Windows Script Host.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.