Brazilian users are under attack with a new self-propagating malware spreading through WhatsApp. Trend Micro named the campaign SORVEPOTEL, emphasizing its rapid propagation across Windows systems without the typical focus on data theft or ransomware.
According to researchers at Trend Micro, the malware spreads through convincing phishing messages with malicious ZIP file attachments. The phishing message requires users to open the attachment on a desktop, indicating a potential focus on enterprises over consumers.
The malware spreads through the desktop web version of WhatsApp, resulting in infected accounts being banned for spam activity. The majority of infections are in Brazil, affecting government, public service, manufacturing, technology, education, and construction sectors.
The attack begins with a phishing message from a compromised contact on WhatsApp, containing a ZIP attachment disguised as a harmless file. The malware spreads through a Windows shortcut file, executing a PowerShell script to download the main payload from an external server.
The batch script establishes persistence on the host by copying itself to the Windows Startup folder and connects to a command-and-control server for further instructions. The malware leverages WhatsApp Web to rapidly spread the malicious ZIP file to all contacts and groups associated with the victim’s compromised account.
Trend Micro warns that the SORVEPOTEL campaign showcases the increasing trend of using platforms like WhatsApp for large-scale malware propagation with minimal user interaction.
