Malicious VBScript files are being spread through WhatsApp messages to install legitimate remote monitoring and management software on victims’ systems, with a Kaspersky technical analysis saying the campaign is active across Malaysia and at least 11 other countries.
KEY FACTS
- Targeting WhatsApp Desktop and WhatsApp Web users in Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, Australia, Russia and Vietnam.
- Main lure Files are disguised as business and financial documents, including names such as Financial Reports.vbs and Account Statement.vbs.
- Payload The script chain downloads more VBScript components and then installs ManageEngine RMM Central.
- Unknown The initial account compromise method has not been determined.
In the report, Kaspersky said the files are heavily obfuscated and use comments and metadata meant to resemble Microsoft Windows Update components. Some comments are written in Chinese and refer to certificate validation, system integrity checks and deployment-related functions.
The infection chain differs by platform. On WhatsApp Web, a user must download the file and open it from the downloads folder or browser history. On WhatsApp Desktop, the client can launch the script directly through WhatsApp.Root.exe, which spawns WScript.exe.
The primary script downloads two secondary VBScript payloads from a remote server. One tries to alter Windows User Account Control behavior, while the other retrieves and runs a ZIP file that contains the installation package for ManageEngine RMM Central. The activity remains unattributed, although the report noted infrastructure overlap with earlier Gh0st RAT and ValleyRAT activity.
WHY IT MATTERS
The campaign shows how trusted messaging platforms can be used to deliver malware through familiar file names and compromised accounts. It also illustrates the risk of opening script files that appear to be routine documents, especially when they arrive unexpectedly from contacts.