SEK has identified a new cyberattack campaign targeting Brazilian companies through WhatsApp.
Criminals are using seemingly legitimate phone numbers to distribute malicious files disguised as payment receipts,
compromising the security of organizations across various sectors in the country.
The attackers’ strategy is sophisticated and leverages the trust established through WhatsApp communication.
The approach begins with a cordial greeting, followed by the name or number of the recipient, creating an appearance of legitimacy. Then, the criminals send a compressed ZIP file, accompanied by a message stating:
“Viewing allowed only on computers. If you are using the Chrome browser, you may be asked to ‘Keep’ the file…”.
This instruction was specifically crafted to trigger the victim’s curiosity and encourage them to download and open the malicious file.
Technical analysis conducted by SEK revealed that the compressed file contains a shortcut that, in reality, is an obfuscated command line. When executed, this shortcut makes a request to malicious domains controlled by the attackers, including: zapgrande[.]com, sorvetenopote[.]com, expansiveuser[.]com, and etenopote[.]com,
as well as the IP addresses 23[.]227[.]203[.]148 and 109[.]176[.]30[.]141.
These requests download the malicious payload, establish persistence on the compromised system, and configure a command-and-control channel using the Havoc framework.
Havoc is an open-source remote access tool that has gained popularity among cybercriminals for its versatility and ability to evade security systems. Once command and control are established, attackers can capture credentials, steal confidential information, monitor user activities, and use the compromised system as an entry point for more complex attacks against corporate infrastructure.
The use of legitimate WhatsApp numbers makes this campaign particularly dangerous, as victims may recognize the number and believe the message comes from a trusted source. In addition, the context of payment receipts is especially effective in the Brazilian corporate environment. SEK has further analyzed similar campaigns in our Intelligence Bulletin:
https://links.sek.io/bdi-golpeboletofalso2
SEK has already added the domains and IP addresses identified in this campaign to detection and blocking mechanisms in the environments of managed clients.
Recommendations:
- Establish continuous cybersecurity awareness programs, training employees to recognize social engineering attempts.
- Implement strict verification policies for any file received via instant messaging before opening them on corporate devices.
- Deploy robust and updated antimalware solutions on all endpoints.
- Maintain 24/7 monitoring to detect anomalous behavior, with specialized incident response capabilities.
- Adopt Threat Intelligence solutions to keep the team informed about active campaigns and relevant IoCs.
SEK remains available to clarify doubts, implement protective measures, and respond to any incidents related to this campaign.
