Summary Points
- Malicious VBScript files disguised as legitimate documents are distributed via WhatsApp, exploiting both Web and Desktop versions, to deliver remote access tools and RMM software.
- Threat actors infiltrate WhatsApp accounts—potentially through illegitimate access—to propagate malware, with scripts heavily obfuscated and mimicking Windows update components to evade detection.
- The attack chain involves downloading secondary scripts that manipulate UAC settings and deploy Remote Monitoring and Management software, posing a high risk of remote system control and data compromise.
Threat Overview, Techniques, and Targets
The campaign involves WhatsApp messages used to spread malicious VBScript files. These files are designed to look like business or financial documents, such as “Financial Reports.vbs” or “Account Statement.vbs.” Some files are named in various languages, including Portuguese and Malay, to reach a global audience. The attacker likely gained access to several WhatsApp accounts, then used them to send these files to contacts. The victim recipients are across many countries, with Malaysia seeing the most reports.
The attack starts when the victim opens the infected files. The VBScript files are heavily obfuscated and include comments that imitate legitimate Windows update components. The scripts are executed with “WScript.exe” and download additional payloads from a remote server. These payloads include scripts for tampering with Windows User Account Control (UAC) and installing a legitimate Remote Monitoring and Management (RMM) tool called ManageEngine RMM Central.
The infection process differs based on whether the victim uses WhatsApp Web or the desktop app. In WhatsApp Web, the user must download and open the file from their browser. In the desktop app, the malicious script runs within the app, linked to a background process called “WhatsApp.Root.exe.”
Impact, Implications, and Guidance
The malicious activity poses several risks. The attack can lead to the remote installation of a legitimate RMM tool, which allows attackers to have remote access to the infected systems. This can result in data theft, system control, or disruption of operations. The campaign’s infrastructure has links to known threat groups involved with Gh0st RAT and ValleyRAT, indicating deeper ongoing threats.
Organizations should be cautious with unexpected attachments via WhatsApp. Opening script or executable files like VBS, JS, or EXE can lead to infection. It is crucial to verify suspicious files independently before opening them.
For remediation, organizations should consult with the relevant vendor or authority for specific guidance. It is recommended to run a full security scan and monitor for unusual activity, especially related to remote management software.
Remediation guidance should be obtained from the appropriate security vendors or authorities to ensure proper response and mitigation measures.
Continue Your Tech Journey
Learn how the Internet of Things (IoT) is transforming everyday life.
Explore past and present digital transformations on the Internet Archive.
ThreatIntel-V1
