It turns out that direct messages on WhatsApp are being exploited to spread harmful Visual Basic Script (VBScript) files, which ultimately lead to the installation of legitimate Remote Monitoring and Management (RMM) software.
According to findings from Kaspersky, this ongoing campaign is targeting users of WhatsApp Desktop and WhatsApp Web in countries like Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, Australia, Russia, and Vietnam. Notably, Malaysia has reported the highest number of victims.
Security researcher Fareed Radzi explained, “The threat actor cleverly uses misleading file names that look like business and financial documents to trick recipients into downloading and running the attachment.” He added, “Once the VBScript is executed, it kicks off a multi-stage infection process that eventually leads to the installation of legitimate RMM software, giving the attacker remote access to the victim’s system.”
It’s believed that the perpetrator behind this scheme has somehow gained covert access to multiple WhatsApp accounts, using them to distribute the VBScript files to their contacts. However, the exact method of how these accounts are compromised remains a mystery.
The VBScript files are heavily obfuscated and disguised as innocuous business and financial documents, often sporting names like “Financial Reports.vbs” or “Account Statement.vbs.” Some files even have names in other languages, including Portuguese, French, German, and Malay, highlighting the global reach of this campaign.
“In addition, the VBScript samples contain extensive comments and metadata intended to mimic legitimate Microsoft Windows Update components,” Kaspersky explained. “Many of these comments are written in Chinese and include references to Windows Update modules, certificate validation, system integrity checks, and deployment-related functionality.”
The VBScript file is launched using “WScript.exe,” which then fetches and runs additional VBScript components required for the next stages of the attack. It’s worth noting that the infection chain behaves a little differently based on whether a victim is using WhatsApp Web or the WhatsApp Desktop application.
In the case of the former, the attack relies on the user downloading the file to their system and then opening it from the downloaded folder or via the browser’s download history, assuming it to be a legitimate document. In WhatsApp Desktop, the malware is executed directly within the application, with the process tree revealing that “WhatsApp.Root.exe,” the background process associated with the client application, is responsible for spawning “WScript.exe.”
The primary objective of the VBScript is to download two secondary VBScript payloads from a remote server, one of which attempts to tamper with Windows User Account Control (UAC) behavior, while the other downloads and executes a ZIP file containing the installation package for ManageEngine RMM Central.
The activity remains unattributed, however, the Russian cybersecurity company said it found infrastructure overlaps (“202.61.160[.]201”) with prior activity linked to Gh0st RAT and ValleyRAT.
“Users should be cautious when receiving unexpected attachments through WhatsApp, even when they appear to originate from known contacts,” Kaspersky said. “Script and executable file types such as VBS, VBE, EXE, BAT, CMD, JS, and PS1 should not be opened unless their legitimacy has been independently verified.”
