Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users

WhatsApp Web Session Hijack and Automated Propagation

Trend Research analysis found that a key feature of this malware is its ability to detect whether WhatsApp Web is active on the infected machine.

When detected, the malware leverages this session to automatically distribute the same malicious ZIP file to all contacts and groups associated with the victim’s compromised account, rapidly propagating itself. 

This automated spreading results in a high volume of spam messages and frequently leads to account suspensions or bans due to violations of WhatsApp’s terms of service. 

Post-Infection Behavior and Evasion

After initial infection, this malware continues to operate primarily as a self-propagating threat, with current evidence suggesting that its main objective is widespread distribution rather than causing deeper system compromise.

As of writing, reported cases show no significant signs of data exfiltration or file encryption. It is worth noting, however, that Brazilian campaigns using similar techniques, such as LNK shortcuts and PowerShell scripts, have previously targeted financial data.

To evade detection and maintain persistence, the malware employs several strategies: it uses obfuscated and typo squatted domains, such as “sorvetenopotel” which closely resembles the innocuous Brazilian phrase “sorvete no pote” (ice cream in a cup). This tactic helps malicious infrastructure blend in with legitimate traffic and avoid immediate scrutiny.

Trend Research also observed potential links to additional infrastructure, including domains such as cliente[.]rte[.]com[.]br, which were used for malware distribution in the days leading up to larger campaign activity. These findings underscore the attackers’ continual efforts to update and diversify their delivery methods for maximum reach and stealth.

Conclusion

The SORVEPOTEL campaign demonstrates how threat actors are increasingly leveraging popular communication platforms like WhatsApp to achieve rapid, large-scale malware propagation with minimal user interaction. By combining convincing tried-and-tested phishing tactics, automated session exploitation, and evasion techniques, SORVEPOTEL is likely to spread fast.

While the current impact centers on widespread infection and account bans rather than encryption, similarities to past Brazilian campaigns underline the potential for future evolution. 

Vigilance, user awareness, and effective security controls are essential to mitigating this and similar threats. Trend Micro continues to monitor this campaign closely and recommends maintaining up-to-date defenses while staying informed about emerging attack techniques targeting messaging platforms.

Defense Recommendations

To minimize the risks associated with the SORVEPOTEL campaign, Trend recommends several practical initial defense items:

• Disable Auto-Downloads on WhatsApp. Turn off automatic downloads of media and documents in WhatsApp settings to reduce accidental exposure to malicious files.
• Control File Transfers on Personal Apps. Use endpoint security or firewall policies to block or restrict file transfers through personal applications like WhatsApp, Telegram, or WeTransfer on company-managed devices. If your organization supports BYOD, enforce strict app whitelisting or containerization to protect sensitive environments.
• Enhance User Awareness. The victimology of the SORVEPOTEL campaign suggests that attackers are targeting enterprises. Organizations are recommended to provide regular security training to help employees recognize the dangers of downloading files via messaging platforms. Advise users to avoid clicking on unexpected attachments or suspicious links, even when they come from known contacts, and promote the use of secure, approved channels for transferring business documents.

Implementing these recommendations will help organizations and individuals better defend against malware threats delivered through messaging applications.

Proactive security with Trend Vision One™ 

Trend Vision One️™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This holistic approach helps enterprises predict and prevent threats, accelerating proactive security outcomes across their respective digital estate. Eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation, especially in the cases of novel malware threats as in the one discussed in this blog. 

Trend Vision One ™ Threat Intelligence 

To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights which provides the latest insights from Trend ™ Research on emerging threats and threat actors.   

Trend Vision One Threat Insights  

Trend Vision One Intelligence Reports (IOC Sweeping)  

Hunting Queries  

Trend Vision One Search App  

Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment. 

Search for outbound connections to known malicious IP addresses associated with Comprovante WhatsApp 

Indicators of Compromise (IoCs)

Indicators of Compromise can be found here. 

Read More HERE