Folk and his colleagues have identified a novel malware variant, which they called SORVEPOTEL. This malware is specifically infecting users in Brazil through the cross-platform messaging software, WhatsApp. The assault starts when affected individuals receive phishing emails, which is usually when the attack begins. These messages contain malicious attachments that, once opened, release a PowerShell script. This script then fetches the main payload from an external server, making it easy for the malware to propagate quickly to unsuspecting users.
XenoVex SORVEPOTEL malware exploits CVE-2022-38042 and other vulnerabilities. It does so by utilizing a Windows shortcut (LNK) file to run a PowerShell script. Once the exploit is triggered, its primary payload—a batch script—creates persistence on the infected victim’s system. Its actual persistence method just copies itself to the Windows Startup folder. This step ensures that the malware will run on their own each time the machine reboots.
Targeted Industries and Infection Spread
Unlike most malware, the cyber attack directly targets individual users. It is wreaking havoc across all sectors in Brazil, from federal government to public services, manufacturing and technology. Yet researchers found that an alarming 457 of those 477 confirmed cases of infection are concentrated in Brazil.
The global spread of SORVEPOTEL also shines a light on the increasing perils that businesses that use WhatsApp to communicate can find themselves exposed to. Invisible infrastructure The malware spreads quickly through compromised devices. This sudden increase brings legitimate apprehension towards data security and the potential to halt operations in essential sectors.
“SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments,” – researchers Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, Cj Arsley Mateo, Jacob Santos, and Paul John Bardon.
Phishing Tactics and User Interaction
This kind of phishing message uses urgency to attract attention, and quicken the user’s desire to open it. It includes a malicious file attachment, delivered through web or email, targeting desktop devices. This ominous targeting indicates that the attackers are likely shifting their focus away from individual consumers and toward enterprises.
“Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers,” – researchers Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, Cj Arsley Mateo, Jacob Santos, and Paul John Bardon.
In this new landscape, cybercriminals are rapidly evolving their attack tactics. Today, cybercriminals are even using popular communication platforms like WhatsApp to target their malware delivery for greater impact.
Implications for WhatsApp Users
Due to the automated nature of SORVEPOTEL’s propagation, this results in a high volume of spam messages circulating within victim user networks. This wave of spam is annoying to users. It further exposes such accounts to suspension or permanent ban for breaching WhatsApp’s terms of service.
“The SORVEPOTEL campaign demonstrates how threat actors are increasingly leveraging popular communication platforms like WhatsApp to achieve rapid, large-scale malware propagation with minimal user interaction,” – Trend Micro.
“This automated spreading results in a high volume of spam messages and frequently leads to account suspensions or bans due to violations of WhatsApp’s terms of service,” – Trend Micro.