Tuesday, April 7, 2026
Latest:

Threatshub.org sponsored-Post

The Register

Don’t open that WhatsApp message, Microsoft warns

TH Author

Be careful what you click on. Miscreants are abusing WhatsApp messages in a multi-stage attack that delivers malicious Microsoft Installer (MSI) packages, allowing criminals to control victims’ machines and access all of their data.

The campaign began in late February, we’re told, and the attack chain starts with a WhatsApp message that delivers malicious Visual Basic Script (VBS) files. We’re not sure exactly how the social engineering part of the scam works – we’ve asked Redmond for additional details and will update this story if we receive any. 

The Register also reached out to Meta-owned WhatsApp for comment and did not hear back.

But somehow the attacker tricks the message recipient into executing the malicious file on their system. They likely do this using a compromised WhatsApp session so that the message appears to come from one of the victim’s existing contacts. Or they blast users with a lure that contains a sense of urgency, prompting the recipient to open the file in a rush.

Once it’s executed, the malicious script creates hidden folders in C:\ProgramData and drops renamed versions of legitimate Windows utilities – for example, curl.exe renamed as netapi.dll and bitsadmin.exe as sc.exe.

Using legitimate Windows tools for evil purposes allows attackers to blend in with normal network activity – defenders call this “living off the land” – but the miscreants did make a mistake in renaming these binaries. 

“Notably, these renamed binaries retain their original PE (Portable Executable) metadata, including the OriginalFileName field which still identifies them as curl.exe and bitsadmin.exe,” Microsoft’s researchers wrote in a Tuesday blog. “This means Microsoft Defender and other security solutions can leverage this metadata discrepancy as a detection signal, flagging instances where a file’s name does not match its embedded OriginalFileName.”

The crims use the renamed binaries to download secondary VBS payloads (auxs.vbs, 2009.vbs) from trusted cloud services including AWS, Tencent Cloud, and Backblaze B2. Again, this makes it more difficult to distinguish between normal enterprise activity and malicious downloads.

Then the malware alters the User Account Control (UAC) settings, attempting to launch cmd.exe with elevated privileges until it either succeeds, meaning the malware will survive a system reboot, or the process is forcibly terminated. 

Finally, the attackers deploy malicious MSI installers, and Microsoft says that these include Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi. Once again, the baddies use real tools like AnyDesk – not custom malware – to hide in plain sight. 

However, none of the final payloads are signed, and this should be another indication to defenders that they are dealing with malware, not legit enterprise software.

These installers give the attackers remote access to victims’ systems so they can steal data, deploy more malware – such as ransomware – on compromised systems, or use the infected machines as part of a larger network from which to launch other attacks.

While Microsoft’s blog includes several recommendations directing people to use their security products to avoid this type of compromise, one vendor-neutral tip that we especially like involves educating users on how to spot social engineering campaigns. 

“Train employees to recognize suspicious WhatsApp attachments and unexpected messages, reinforcing that even familiar platforms can be exploited for malware delivery,” Redmond advises. ®

READ MORE HERE