The next big cybersecurity threat has arrived in Brazil. Aqua Security’s Camille Sévigny and Liz Rice point out a new threat actor, Water Saci, which has implemented a campaign utilizing a self-propagating malware dubbed SORVEPOTEL. This advanced malware separately targets the desktop web version of WhatsApp to deliver its payload. The payload features a new sophisticated variant, dubbed Maverick. The campaign exclusively targets Brazilian users and financial institutions and serves as a wakeup call for cybersecurity professionals and organizations everywhere.
The Water Saci campaign, which mostly targets organizations in India, was initially reported on by cybersecurity giant Trend Micro. The Maverick malware variant, developed in .NET framework, is capable of decrypt and surveil banking apps. It narrowly focuses on the home page URLs of the 100 largest financial institutions in Latin America. The campaign represents a significant change in methodology for banking trojans. They’re going beyond traditional payloads and going for far sneakier approaches.
Malware Distribution and Functionality
Malware in Water Saci exploits WhatsApp’s messaging platform to spread its malicious payload. By simply serving a ZIP archive filled with the Maverick malware, the threat actor drastically increases their chances of avoiding detection and prevention measures.
“This technique allows the malware to bypass WhatsApp Web’s authentication entirely, gaining immediate access to the victim’s WhatsApp account without triggering security alerts or requiring QR code scanning.” – Trend Micro
Once installed, Maverick goes to work in the background—quickly and quietly. It constantly watches all of your browser’s open tabs and checks if any URLs match a known list of financial institutions based in Brazil and across Latin America. This makes it easy for the malware to be stealthy while it goes to work stealing sensitive information from all of its unsuspecting users.
As with many other malware strains, that is not the only thing contained within Aurora’s code backdoor. This feature would necessitate the threat actor to manually access the inbox and save the C2 server URL. This goes a step further, allowing the attacker to have more control over the systems they have infected.
Implications for Brazilian Users and Financial Institutions
Water Savi is also explicitly aimed at Brazilian banks, showing an even more pronounced focus on that particular geographic market. This underscores the immediate need for reinvigorated security initiatives in the area. While we appreciate the intention behind this campaign, it undermines serious concerns about the safety of online banking and personal data. It also aims at hotels in Brazil, suggesting an expansion of its goals may be in order.
“Linking the Water Saci campaign to Coyote reveals a bigger picture that exhibits a significant shift in the banking trojan’s propagation methods. Threat actors have transitioned from relying on traditional payloads to exploiting legitimate browser profiles and messaging platforms for stealthy, scalable attacks.” – Trend Micro
Maverick’s ability to track and control sensitive financial information presents substantial dangers for consumers as well as financial companies. It queries the compromised victim’s time zone, language, region, and date format. This helps ensure it only hits Brazilian victims, providing more evidence of a highly tailored approach to its attacks.
Evolving Tactics in Cybercrime
According to security experts, the Water Saci campaign is a leading indicator of cybercrime modus operandi shifting in an alarming direction. By leveraging legitimate platforms like WhatsApp and targeting specific demographics, threat actors can execute attacks with greater precision and effectiveness.
“After terminating any existing Chrome processes and clearing old sessions to ensure clean operation, the malware copies the victim’s legitimate Chrome profile data to its temporary workspace.” – Trend Micro
The implications of this evolution are significant. Cybercriminals are always evolving their tactics to stay one step ahead. Today, they operate highly advanced command-and-control systems to dynamically coordinate their malware campaigns in realtime. This act, in turn, kills the infected machines’ ability to function as a coordinated tool across many endpoints – known as a botnet.
The unpredictable and opportunistic nature of these attacks requires hyper-awareness from users and organizations across the industry. Protection against cybersecurity threats should be inadequate the moment they’re developed. This evolution is critical to securing sensitive information and continuing to build user confidence and trust in digital banking ecosystems.