Security researchers at Trustwave SpiderLabs reported a campaign that leverages social engineering and WhatsApp account hijacking to spread a Delphi-based banking trojan identified as Eternidade Stealer, targeting users in Brazil.
The attack chain begins with an obfuscated Visual Basic Script containing Portuguese comments that drops a batch file which forks execution into two payloads: a Python script that propagates via WhatsApp Web and an MSI installer that deploys the Eternidade Stealer through an AutoIt script. The researchers noted the campaign uses Internet Message Access Protocol (IMAP) to retrieve command-and-control addresses dynamically and observed a shift from earlier PowerShell-based hijacking scripts to Python.
The Python component automates messaging on hijacked WhatsApp accounts by leveraging the open-source project WPPConnect. It harvests a victim’s contact list while filtering out groups, business contacts and broadcast lists, exfiltrates contact metadata to an attacker-controlled server, and sends malicious attachments using templated messages with time-based greetings and contact names.
The MSI branch drops multiple payloads and uses an AutoIt script to check whether the operating system language is Brazilian Portuguese; if not, the malware terminates. The script also scans processes and registry keys for security products, profiles the machine, and the attackers inject the Eternidade Stealer into svchost.exe via process hollowing, the researchers found.
Eternidade continuously monitors active windows and running processes for strings associated with banks, payment services and cryptocurrency services (examples include Bradesco, BTG Pactual, MercadoPago, Stripe, Binance, Coinbase, MetaMask and Trust Wallet). When a match is found the malware contacts a command-and-control server whose address is retrieved from a terra.com.br inbox, with a hard-coded fallback C2 if the email access fails, and then awaits remote commands to collect system information, monitor user activity or deploy credential overlays.
Trustwave said infrastructure analysis uncovered a Redirector System and login panels that enforce geofencing to Brazil and Argentina, redirect blocked connections to “google.com/error,” and logged 454 access attempts (452 blocked). Panel data showed connections from multiple countries and operating systems, suggesting a wider operational footprint. The researchers advised defenders to watch for unexpected WhatsApp activity, unusual MSI or script execution, and the indicators associated with this campaign; they also noted this activity follows other WhatsApp propagation campaigns such as those delivering the Maverick trojan.