New malware leverages WhatsApp to target Brazilian government and businesses

Hackers are using the WhatsApp messaging platform in an ongoing campaign to infect Windows computers across Brazil, researchers have found.

The malware, dubbed Sorvepotel, spreads through phishing messages containing a zip file that appears to be a legitimate document, such as a receipt or health form. 

“Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers,” researchers at cybersecurity firm Trend Micro said.

“A key feature of Sorvepotel malware is its ability to detect whether WhatsApp web is active on the infected machine,” they added.

The attackers’ goal appears to be the delivery of more malware, typically a payload that gathers banking information, Trend Micro said.

The infection begins when a user receives a WhatsApp message from a compromised contact such as a friend or colleague.

Once executed, the malware hijacks the victim’s WhatsApp web session and automatically sends the same zip file to all of their contacts and group chats, rapidly spreading the infection.

Unlike ransomware or data-stealing campaigns, Sorvepotel is designed for speed and mass propagation, exploiting trust between WhatsApp users, the researchers said.

“This automated spreading results in a high volume of spam messages and frequently leads to account suspensions or bans due to violations of WhatsApp’s terms of service,” they added.

The campaign appears to be concentrated in Brazil, which accounted for 457 of the 477 recorded infections, Trend Micro said. Most victims are in government and public service sectors, but the malware has also affected organizations in manufacturing, education, banking, technology and construction.

In addition to Sorvepotel, researchers identified two related payloads: Maverick.StageTwo, which targets Brazilian banking users, and Maverick.Agent, capable of stealing credentials and displaying fake overlay windows that mimic legitimate financial websites to trick users into revealing sensitive information.

While there is no evidence so far of large-scale data theft or ransomware encryption, researchers noted that earlier Brazilian campaigns using similar techniques have targeted financial institutions. The campaign has not been attributed to any known hacking group.

Brazil has faced several high-profile cyber incidents in recent months. Earlier this week, hackers stole more than 5 million reals (about $939,000) from municipal bank accounts in the southeastern city of Monte Sião. In July, police arrested a software company employee accused of helping steal over $100 million through Brazil’s instant payment system, PIX.