What happened
New malware automatically sends to contacts via WhatsApp Web attacks in a campaign where the Astaroth banking malware uses automation to spread through WhatsApp Web on Windows systems. The malware harvests a victim’s contact list and then auto-sends malicious attachments to all contacts, creating a self-propagating infection loop. This campaign, identified by researchers at Acronis, uses a two-component chain with a disguised Visual Basic script and a Python-based propagation module, exploiting social engineering and trusted contact relationships to improve success rates. The malicious ZIP attachments often contain payloads that install credential-stealing and banking trojan components, enabling both rapid spread and theft of financial data. The tactic represents an evolution of messaging-platform-based malware distribution leveraging WhatsApp’s reach.Â
Who is affected
Windows users of WhatsApp Web, particularly those with large contact lists or Brazilian users targeted in the campaign, face direct exposure to malware spread and credential theft.
Why CISOs should care
This incident highlights messaging platforms as vectors for automated malware propagation and credential theft, with implications for enterprise endpoint security, user training, and detection of lateral propagation via social channels.
3 practical actions
- Enforce secure messaging policies: Define and enforce secure usage policies for messaging platforms like WhatsApp Web on corporate devices.
- Deploy endpoint protections: Use advanced endpoint detection to block scripting abuse and automated messaging malware.
- Increase user awareness: Educate users on risks of opening unsolicited attachments, even from trusted contacts.