Water Saci - AI enhanced malware targeting Brazilians thru WhatApp

[fullfitlarry]

Water Saci has evolved it's tactics, now it's uses a very highly layered infection chain. And it uses WhatApp to propagate a banking trojan that target Brazil again. Not just banking apps, but it also in it's cross hair, crypto exchanges and wallet.



The thing is that this cyber actors are using AI to convert their code,

propagation scripts from PowerShell to Python exemplifies a layered approach that has enabled Water Saci to bypass conventional security controls, exploit user trust across multiple channels, and ramp up their infection rates.

I have nothing against AI, but this could be one of it's pitfall.

https://www.trendmicro.com/en_us/research/25/l/water-saci.html

The attack starts from WhatsApp, receiving a compressed archived files such as ZIP files, while other mode of attack showed to be a PDF documents, looks very harmless as first because it just shows to update your Adobe Reader.

But that is not the case as it has payload and once you installed, it's game over.



So again, just a friendly reminder for our Brazilian community, as this is not the first time that they have been targeted thru WhatApp, you can read it here, Eternidade Stealer - targets Banking apps/Crypto Wallets/Exhanges.

[joniboini]

Another malware using WhatsApp, no surprise there. Not familiar with the name, but won't be surprised if another attacker uses a similar method to attack the user base in another country.

I'm not sure about using AI to evolve the code, though. Judging from how broken some popular services are after they pivot to AI, I don't think they're that robust. I guess you could say they use a modified LLM trained with antimalware codes, so it's more specialized. Nothing's wrong with being careful.

[fullfitlarry]

Another malware using WhatsApp, no surprise there. Not familiar with the name, but won't be surprised if another attacker uses a similar method to attack the user base in another country.

Doesn't matter what the name of this malware is, not sure though how cyber investigators get the name. But it's true, it looks like WhatApps is the new breeding ground for criminals and their malware and trojans. Banking apps + crypto + Brazilians or Lat-Am seems to be the war zone now.

I'm not sure about using AI to evolve the code, though. Judging from how broken some popular services are after they pivot to AI, I don't think they're that robust. I guess you could say they use a modified LLM trained with antimalware codes, so it's more specialized. Nothing's wrong with being careful.

Cyber criminals has taken advantage of AI, so it's more easy for them to really enhance or make a new iteration of their malware to a new code using AI and that is very dangerous in the crypto space. But as what you have said, we should really be careful of what we download and not trust anything at this point.

[joniboini]

But it's true, it looks like WhatApps is the new breeding ground for criminals and their malware and trojans.

I guess that's a given for a popular app like WA, just like how often we get phishing emails. I mean, don't think you could fault a messenger app unless there's an exploit where they could execute malicious code directly, as long as they sent malware to somebody's phone. I don't think WA has that bug, right? I do remember opening a file could trigger something like that, though (can't remember the csv). Anyway, users have to be careful regardless of what apps they use.

[348Judah]

These scammers are continuously developing new strategies of introducing malwares and what will ensure they get hold of their prey by attacking them, which i don't know if we could ever desist from hearing event like these happening, but the more they are doing it, the better their chances of being exposed to the public, everyone should just be careful and avoid unnecessary visits or downloads or links, it may be more dangerous than we seem to know now.

[cryptomaniac_xxx]

These scammers are continuously developing new strategies of introducing malwares and what will ensure they get hold of their prey by attacking them, which i don't know if we could ever desist from hearing event like these happening, but the more they are doing it, the better their chances of being exposed to the public, everyone should just be careful and avoid unnecessary visits or downloads or links, it may be more dangerous than we seem to know now.

It's WhatApp that this scammers are using right now as we have seen numerous reports already popping and propagating it in Brazil. The only weapon we can used is self awareness. Good for us members here as there are posters who give us warning like this one.

But just imagine those who haven't gotten any reports and will just click and download this pdf in this laptop or desktop thru WhatApp and think that it is genuine and not any malware that can attack and stole their banking details and crypto at the same time. We can only wish that it will not happened to us.

[joniboini]

but the more they are doing it, the better their chances of being exposed to the public, everyone should just be careful and avoid unnecessary visits or downloads or links, it may be more dangerous than we seem to know now.

That's the biggest issue. Some of their operations are quite common, so if you read one or two articles about phishing scams, you should be able to notice them. The problem is that some users don't read and have a bad habit of downloading and clicking random files.

I don't think scammers will stop doing this. Even my old email account got spammed with phishing every now and then. It's cheap for them to do so, even if they only get 10 users out of 1 million targets every year or so.