Close Menu

Eternidade: The WhatsApp Trojan Worm Sweeping Brazil

Staff WriterBy No Comments6 Mins Read8 Views

Summary Points

  1. Worm and Trojan Spread: The “Eternidade” malware operates as a worm via WhatsApp, efficiently targeting users to propagate by sending personalized messages to their contacts.

  2. Demographics Targeting: Researchers found approximately 10,000 infected machines, particularly focusing on Brazilian individuals by filtering contacts and avoiding business-related interactions for higher infection success rates.

  3. Multifunctional Design: Composed of two parts, the malware verifies users’ operating system language and environment, ensuring it operates against ordinary Brazilian citizens before executing its main stealing payload, which targets banking and cryptocurrency sites.

  4. Dynamic C2 Resilience: Eternidade features a novel method for maintaining control; it can automatically update its command-and-control (C2) domain through an email, allowing it to evade detection and takedowns by cybersecurity defenses.

[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘WhatsApp ‘Eternidade’ Trojan Worms Through Brazil’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘

A new Trojan is making the rounds in Brazil, spreading as a worm through WhatsApp, and then duping people into giving up their banking credentials.

Senior security research manager Karl Sigler and his colleagues at LevelBlue were able to penetrate the command-and-control (C2) infrastructure supporting the “Eternidade” stealer. There, he reports, they discovered somewhere in the neighborhood of 10,000 infected systems — a testament to just how doggedly the program is spreading to specific demographics of victims, through their trusted social media.

Eternidade Half 1: The Worm

Eternidade comes in two halves. The first is a worm, designed to automatically grab a victim’s full list of WhatsApp contacts and send them all a copy of itself.

Instead of crudely spreading as far and wide as it possibly can, though, the program filters out all of a victim’s labeled business contacts, and any group chats. The idea, the researchers think, is that the infections most likely to succeed are those that arrive in the form of personalized, direct messages from friends and family.

The malware also has a couple of little tricks to enhance the credibility of that message. The malware autofills a recipient’s name in the phishing message they receive, and it includes a “Good morning,” “Good afternoon,” or “Good evening” (in Portuguese), depending on the actual time of day the message is sent. Message templates can also be further configured by the attackers through their C2 infrastructure.

Related:Data Leak Outs Hacker Students of Iran’s MOIS Training Academy

The other element of note is that the malware’s dropper file initially was written in PowerShell, but newer variants are Python. “Most droppers, especially with what we’re seeing in Brazil, typically are written in PowerShell,” Sigler says. “[Malware authors] are expecting Windows on the end machine, so they execute with PowerShell. Using Python could be indicative of what the skill set was for the authors of the malware.

Or more intriguingly, it could be an indication of the threat actors’ intentions: “That they’re looking to expand [Eternidade] into something that’s multiplatform, which they could run on Linux, or on Mac,” Sigler says.

Eternidade Half 2: The Trojan

The Trojan half of Eternidade is more multifunctional. It checks that a victim’s operating system (OS) language is set to Brazilian Portuguese, and whether the host machine is part of a corporate network or sandbox environment. It identifies security programs running on the system, and gathers a variety of other system data, all to make sure that victims are ordinary Brazilian individuals before proceeding with malicious activity.

Related:China Hackers Test AI-Optimized Attack Chains in Taiwan

If all of those checks pass, the final stealer payload will be loaded and executed. This component is written in Delphi, a formerly quite popular programming language that has since fallen out of fashion in most parts of the world, but remains a “cornerstone” of Brazil’s cybercrime scene, according to LevelBlue. 

As Sigler explains it, “Brazil to a certain extent is isolated, being the only country in Latin America with Portuguese. A lot of the education programs in Brazil are targeted specifically for Brazil. So that also provides a not completely isolated environment, but one that’s more focused. And Delphi is one of the things they focused on.” 

The result has been “one of those odd evolutions. While other programming languages and scripting languages caught on a lot more in other places, I think probably the computer science and IT programs [in Brazil] really sort of folded in Delphi because it was already popular, and that made it more popular.”

Delphi does possess some advantages, when building something like a stealer. “It’s easy to learn, and it’s very straightforward. It can’t do a lot of really complex things, but for things like this — downloading, gathering system information, sending system information off to another domain, Delphi works great,” he says.

Related:‘Confucius’ Cyberspy Evolves From Stealers to Backdoors in Pakistan

The stealer begins its job by scanning for active running windows and processes that indicate that the victim is using a banking, cryptocurrency, or fintech website. Targeted services include the Bank of Brazil, Santander, Stripe, Coinbase, Binance, Metamask, Ledger Live, and dozens more. Should a victim visit any one of these platforms, the malware will serve them a typical overlay designed to solicit their login credentials for the attacker.

The malware can also run a variety of remote commands for downloading, uploading, and exfiltrating files, capturing screenshots, logging keystrokes, etc. More interesting, though, is how it can avoid the complications of C2 takedowns.

In addition to all the effort they put into making sure that the malware will only ever render for intended victims, the attackers also built Eternidade to automatically adjust its C2 domain simply using an email. They did it by hardcoding credentials into the malware, which the malware uses to connect to and read from an attacker-controlled email domain. If cybersecurity defenders ever manage to take down Eternidade’s C2, the attackers can simply craft an email with the location of a new C2 address, and the malware will immediately know where to take its new orders from.

“It’s pretty interesting,” Sigler says. “We really haven’t run across that much.”

‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of

[/gpt3]

Expand Your Tech Knowledge

Stay informed on the revolutionary breakthroughs in Quantum Computing research.

Explore past and present digital transformations on the Internet Archive.

CyberRisk-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Comments are closed.