- Kaspersky warns of WhatsApp phishing campaign spreading malicious VBScript files disguised as business documents
- Running them installs ManageEngine Endpoint Central, giving attackers remote access; localized file names increased global reach
- The victims come from Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam and Malaysia; the compromise method remains unknown
Attention WhatsApp users: a phishing campaign is underway on the platform, seeking to infect your devices with a legitimate but unsolicited endpoint security platform.
Security researchers Kaspersky recently released a new report detailing a campaign that starts with a compromised WhatsApp account. They could not determine how these accounts were hacked, but discovered that they were used to contact victims’ contacts and share a VBScript file masquerading as business or financial documents.
People who don’t find it strange when their contacts suddenly share work documents and end up executing them will benefit from ManageEngine’s Endpoint Central, a unified endpoint management (UEM) and endpoint security platform designed to help IT teams manage a fleet of desktops, laptops, servers, mobile devices, and other endpoints, all from a single console.
Two scripts, one malware
In this case, however, they wouldn’t manage anything: they would simply grant attackers remote system access. Kaspersky says the campaign is quite widespread, with victims located in Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam and Malaysia.
One of the reasons the campaign was so successful internationally is that the file names are localized in multiple languages, Kaspersky added.
“Based on the evidence collected from multiple victims via social media reports and submitted samples, we can conclude that the threat actor gained access to multiple WhatsApp accounts and used them to distribute the malicious VBScript files to contacts on the compromised users’ contact lists,” Kaspersky researchers said.
“At the time of writing, the exact method used to compromise these WhatsApp accounts remains unknown.”
Downloading and running the malicious files on Windows results in the deployment of two scripts that first disable UAC protections and then deploy UEM. Kaspersky also pointed out that when users open WhatsApp on the web, they need to download the files first, but when they open the desktop client, the files can be run directly through Windows Script Host.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
