Brazilian crypto holders are urged to be on the lookout for a sophisticated hacking campaign that includes a hijacking worm and banking trojan shared via WhatsApp messages.
According to a new report from Trustwave’s cybersecurity research team SpiderLabs, the banking trojan, known as “Eternidade Stealer” is being pushed via social engineering on messaging application WhatsApp such as “fake government programs, delivery notifications,” messages from friends and fraudulent investment groups.
“WhatsApp continues to be one of the most exploited communication channels in Brazil’s cybercrime ecosystem. Over the past two years, threat actors have refined their tactics, using the platform’s immense popularity to distribute banker trojans and information-stealing malware,” said Spiderlabs researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi.
Explaining the process in Layman’s terms, clicking the worm link in WhatsApp sets off a chain reaction that infects the victim with both the worm and banking trojan.
The worm hijacks the account and obtains the victim’s contact list. It utilizes “smart filtering” to ignore business contacts and groups to target individual contacts for a more efficient process.
Meanwhile, the banking trojan is a file automatically downloaded onto the victim’s device that deploys the Eternidade Stealer in the background, which is able to scan for financial data and logins to a range of Brazilian banks and fintech or crypto exchanges and wallets.
Related: Crypto private key theft is now big business: Here’s what to know
The malware also has a clever way to avoid detection or being shutdown. Instead of having a fixed server address, it utilizes a pre-set gmail account to check for new commands via email. This enables the hackers to change commands by sending new emails.
“One notable feature of this malware is that it uses hardcoded credentials to log into its email account, from which it retrieves its C2 server. It is a very clever way to update its C2, maintain persistence, and evade detections or takedowns on a network level. If the malware cannot connect to the email account, it uses a hardcoded fallback C2 address,” the report reads.
How to stay safe
Users of apps such as WhatsApp are advised to tread with caution with any link sent to them, even if it’s from a trustworthy contact.
A helpful tactic can be to message them on a separate app to confirm if the link is okay, and to be suspicious of a link sent out of the blue with limited context given.
Keeping software updated can also help protect people from potential bugs targeting older versions, while anti-virus software can also potentially help flag issues.
If someone has been hacked, it is important to immediately freeze all potential access points to banking and crypto services to stop the bleed. Tracking funds can also help exchanges, researchers or authorities track where the assets are going, potentially helping them to freeze hacker wallets.
Magazine: ‘Help! My robot vac is stealing my Bitcoin’: When smart devices attack