Brazilian users have emerged as the target of a new self-propagating malware that spreads via the popular messaging app WhatsApp.
The campaign, codenamed SORVEPOTEL by Trend Micro, weaponizes the trust with the platform to extend its reach across Windows systems, adding the attack is “engineered for speed and propagation” rather than data theft or ransomware.
“SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments,” researchers Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, Cj Arsley Mateo, Jacob Santos, and Paul John Bardon said.
“Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers.”
Once the attachment is opened, the malware automatically propagates via the desktop web version of WhatsApp, ultimately causing the infected accounts to be banned for engaging in excessive spam. There are no indications that the threat actors have leveraged the access to exfiltrate data or encrypt files.
The vast majority of the infections — 457 of the 477 cases — are concentrated in Brazil, with entities in government, public service, manufacturing, technology, education, and construction sectors impacted the most.
The starting point of the attack is a phishing message sent from an already compromised contact on WhatsApp to lend it a veneer of credibility. The message contains a ZIP attachment that masquerades as a seemingly harmless receipt or health app-related file.
That said, there is evidence to suggest that the operators behind the campaign have also used emails to distribute the ZIP files from seemingly legitimate email addresses.
Should the recipient fall for the trick and open the attachment, they are lured into opening a Windows shortcut (LNK) file that, when launched, silently triggers the execution of a PowerShell script responsible for retrieving the main payload from an external server (e.g., sorvetenopoate[.]com).
The downloaded payload is a batch script designed to establish persistence on the host by copying itself to the Windows Startup folder so that it’s automatically launched following a system start. It’s also designed to run a PowerShell command that reaches out to a command-and-control (C2) server to fetch further instructions or additional malicious components.
Central to SORVEPOTEL operations is the WhatsApp-focused propagation mechanism. If the malware detects that WhatsApp Web is active on the infected system, it proceeds to distribute the malicious ZIP file to all contacts and groups associated with the victim’s compromised account, allowing it to spread rapidly.
“This automated spreading results in a high volume of spam messages and frequently leads to account suspensions or bans due to violations of WhatsApp’s terms of service,” Trend Micro said.
“The SORVEPOTEL campaign demonstrates how threat actors are increasingly leveraging popular communication platforms like WhatsApp to achieve rapid, large-scale malware propagation with minimal user interaction.”
