Eternidade Stealer - targets Banking apps/Crypto Wallets/Exhanges

[fullfitlarry]

A new threat has been discovered by Cyber security researchers. And it uses a combination of social engineering and WhatsApp hijacking to distribute what they call Eternidade Stealer that targets our Brazilian users.

Here is the detailed schematic diagram of the attack.



And then extracts the following:

• Full WhatsApp ID (phone number with ‘@c.us suffix)
• Contact name (with fallbacks: ‘name’, ‘pushname’, ‘shortname’)
• Clean phone number
• Whether it’s a saved contact

This is the following targeted banks:


Crypto Exchanges:


Crypto Wallets:


https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spiderlabs-ids-new-banking-trojan-distributed-through-whatsapp/

So for those who are using WhatsApp specially if you are in Brazil, you have been targeted by this cyber criminals. So just be vigilant if you are going to used or using this apps as this has been used by criminals as weapons to attack as not just banking apps, but crypto wallet and crypto exchanges as well.

[Lakai01]

I don't think this attack vector will remain limited to Brazilian users for much longer, as the country behind it is interchangeable, if I understand the vector correctly. Researchers at the University of Vienna have discovered a vulnerability in WhatsApp that allows almost all user data from all users worldwide to be extracted:

Using the same underlying mechanism, the researchers demonstrated that it was possible to query more than 100 million phone numbers per hour through WhatsApp's infrastructure, confirming more than 3.5 billion active accounts across 245 countries.

Source

Unfortunately, it is more than likely that the researchers are not the first to discover this vulnerability and that it has already been exploited commercially by hackers. Mobile phone numbers in particular are very valuable on the black market.

[Pablo-wood]

After a quick research on Eternidade Stealer I discovered it's not just a random malware,

According to  Alessandro Mascellino

 the malware combines a WhatsApp-propagating worm, a Delphi-based stealer and an MSI dropper to harvest financial data, system details and contact lists used for rapid lateral spread

Considering the fact it uses social engineering plus session hijacking it simply implies even users who don't click random links regularly can still be caught off guard and once a malware attack lunches and succeeds they begin expanding their territories I feel this is a call for extreme alertness.

[Ronsbit]

Thank you for bringing this to the notice of the community. It is nice to have gotten this information here because lately, I have been receiving messages from WhatsApp contacts I have no idea about, and the majority of them come with a link, and from all indications, the links look fishy, and when I call the sender via WhatsApp, they do not answer the call, which made me more sceptical about them.

When it comes to situations as this, it does not only focus on Brazil alone; but they have a wider perspective of attacking the general community as long as you have a whatsapp account, you are a target to them irrespective of wherever you come from. The only thing one can do is just to stay alert and cautious, do not click links sent from unknown contact, even if you recieve links from contacts you know, and you notice anything suspicious about that link which you are very sure such contact dont frequently send such, what you do is to call them first to confirm if they were the one who sent it or if possible their whatsapp account might have been compromised. With this you could be safe from such schemes from them.

[joniboini]

I have been receiving messages from WhatsApp contacts I have no idea about, and the majority of them come with a link, and from all indications, the links look fishy, and when I call the sender via WhatsApp, they do not answer the call, which made me more sceptical about them.

Is there any other reason why you call those numbers other than trying to confirm who they are? That sounds pretty risky. If they have real business with you, I'm sure they won't just drop a malicious link and disappear tbh. I wonder if we'll get another exploit where calling a number can execute some malicious code behind our knowledge after this.

Speaking of receiving random messages, I got so many of them in my SMS inbox. Not sure if scammers will target other accounts after this.

[tech30338]

seems like a new variant since this are like other attacks on other application, are they just modifying other malware and then use it to another applications, unlike before a single malware will attack or infect thousands of computers at the same time, then lock them and ask for a ransom, but this is a really serious issue since they are not stopping since this is one of their source of income, what we can do is to be very careful on what we are doing, something that is too good to be true should be approach in a careful manner and that is why being updated is very important.

[TryNinja]

A friend of mine fell for this. He started sending messages on WhatsApp about a Mr Beast giveaway, linking to a website where you would need to connect your crypto wallet.

I wasn't aware that it could try to infect and steal your funds on traditional banking apps like Santander, though.

[coinlary]

Saved contact or not , if you ever send an attachment I never requested, I'm never going to download it. Although, attachments does have the file name. displayed exyension attached aswell but no matter what , if  I don't  request anything  then I'm  not downloading .
I couldn't access the url, I don't  know if it's  only me but I believe this should still trace to downloading  it from a source , WhatsApp is just a medium of spreading I guess.

[|MINER|]

This is not really anything new, we are constantly seeing this kind of news, for example, if you look at this article from 2022, there was a 500 million WhatsApp data breach.
And these will continue to happen continuously, whether it is limited to Brazil or the whole world, it has now taken a terrible form.

And the main reason for this is that we currently explore different websites according to our daily needs and accept them without thinking about any permission, especially when they ask for cookies. And this is the scariest thing. I may be going off topic a bit, but this is also important and I want to raise awareness.


Like when we browse a website and give our email and password there and accept the cookies of that website, then our login session is with that website. And what is happening now is that hackers are hijacking those cookies and taking our data from there.
Moreover, there are many unsafe websites where they will show you a question asking for cookies permission but they are taking permission from some other malware script, which is extracting all the passwords and data saved in your browser and sending it to the hacker.

-That's why I initially think that before browsing any website, be careful to check whether it is a suspicious website, and if it seems suspicious, then you should browse using the TOR browser, better would be avoid.

-Be careful when using extensions too.

-And avoid anonymous messages on email, WhatsApp, and Telegram etc.

-And more importantly, I think it's important for us to have routine checkups, like checking once a month to see if our passwords or data have been breached somewhere.

***And there are many free websites or tools to do this. In my case, I use these and to be honest, I was able to see that many of my phone numbers and emails were breached from these websites and was able to take a cautious stance later.

You can use this website to check if your mobile phone number's or the Email's data has been breached. Here you can check your regional data breach situation by filtering from 3M,6M&+
- https://cybernews.com/personal-data-leak-check/

[Wiwo]

Socials handles are the most hit by the attacker's,  i see that alot of whatapps and even x datas got leaked recently and not only Brazilian that are the victims,  we have alot of account's compromised already cases are popping up on daily and that is a justification of this alert.

Last time i recieved a job offer on WhatsApp and a link was included to be clicked to get registered,  those are the simoleways that hackers tricks you into allowing them access to you personal datas.

We all need to be careful and guided as much as possible.

[Hazink]

Saved contact or not , if you ever send an attachment I never requested, I'm never going to download it. Although, attachments does have the file name. displayed exyension attached aswell but no matter what , if  I don't  request anything  then I'm  not downloading .

That is a good measure to prevent yourself from falling for those scams, but it should not only be limited to attached files, even when I get a message from anyone which has to do with a link even if we talk about something in relation to it, I'm still very cautious not to directly click on the link unless I have been able to verify it's what I was actually expecting 

[Aanuoluwatofunmi]

Number of hacks has occured through the use of social media because even as we speak, some of these hacks attempts are still in operation while some users are yet to understand how possible it can happen and they got into it unexpectedly, we should also be mindful of links and the sites we visits.

[ColdLava40]

Saved contact or not , if you ever send an attachment I never requested, I'm never going to download it. Although, attachments does have the file name. displayed exyension attached aswell but no matter what , if  I don't  request anything  then I'm  not downloading .
I couldn't access the url, I don't  know if it's  only me but I believe this should still trace to downloading  it from a source , WhatsApp is just a medium of spreading I guess.

When I don't have someone on my contact list, I don't bother to chat them up unless they are able to introduce themselves as someone I known aside from that, I see no reason why I should respond to a chat from someone I don't know and go ahead to install a package from such chat.

The internet is filled with so many threat these days, even the smallest thing that sometimes feels normal is no longer safe to do. One has to just be careful and avoid falling victim.

[Sticky Bomb]

I have been receiving messages from WhatsApp contacts I have no idea about, and the majority of them come with a link, and from all indications, the links look fishy, and when I call the sender via WhatsApp, they do not answer the call, which made me more sceptical about them.

Is there any other reason why you call those numbers other than trying to confirm who they are? That sounds pretty risky. If they have real business with you, I'm sure they won't just drop a malicious link and disappear tbh. I wonder if we'll get another exploit where calling a number can execute some malicious code behind our knowledge after this.

Speaking of receiving random messages, I got so many of them in my SMS inbox. Not sure if scammers will target other accounts after this.

I don't see any reason calling a strange person who's contact isn't saved in my phone. I believe courtesy demands that you introduce yourself before sending links or messages and if you don't I'll request your identity and the purpose of the link and without any clarity on the question, I'll ignore you totally, I've stopped clicking links even from someone I know without knowing the purpose and I don't even click links from my WhatsApp. I copy them to the browser before accessing them. We all need to take serious caution. Social engineering is getting more advanced as the days goes by.

[DYING_S0UL]

So if I understand correctly, it steals data from your pc and being distributed through whatsapp? But one thing I don't get how the system gets infected. Surely it cannot be done automatically right? User has to execute the payload/script/the executable file? I checked the article but it was a massive one, and I couldn't find the things I wanted to know. In short, apart from those technical stuff, how this Stealer works? Can you explain it from a non technical perspective.

You can use this website to check if your mobile phone number's or the Email's data has been breached. Here you can check your regional data breach situation by filtering from 3M,6M&+
- https://cybernews.com/personal-data-leak-check/

How reliable is this site? I'm not familiar with this platform. I just tried searching some of my oldest emails and number, and all of them came out as "safe for now". But if my memory serves me right, among the mails one of them was exposed in the past. And upon logging in, it would say my password was exposed or found in a data breach (something like that). So I'm confused a little. Anyway I'm happy none came as red.

[|MINER|]

You can use this website to check if your mobile phone number's or the Email's data has been breached. Here you can check your regional data breach situation by filtering from 3M,6M&+
- https://cybernews.com/personal-data-leak-check/

How reliable is this site? I'm not familiar with this platform. I just tried searching some of my oldest emails and number, and all of them came out as "safe for now". But if my memory serves me right, among the mails one of them was exposed in the past. And upon logging in, it would say my password was exposed or found in a data breach (something like that). So I'm confused a little. Anyway I'm happy none came as red.

In such cases, from my practical perspective, I find their service reliable because I verified all my email addresses connected to my affected device, as well as my phone number, and I found information about the breach there.
And even then, if you have any doubts about the reliability of this website, you can find many more such websites or tools on the internet. It is better to use a paid service, but if you want it for free, you can double-verify your data on other websites.
In this regard, I can suggest another renowned website.- https://databreach.com/breach

[PostQuantumBTC]

So if I understand correctly, it steals data from your pc and being distributed through whatsapp? But one thing I don't get how the system gets infected.

According to another link that I read this from, the malware combines a WhatsApp-propagating worm, a Delphi-based stealer and an MSI dropper to harvest financial data, system details and contact lists used for rapid lateral spread.

About the Whatsapp malware, it can be done through various means like phishing campaign like a hacker contact you through Whatsapp, saying he is an official from your bank. If you believe, he can give you a link to something that you can download and which is malware. It is just like other means of how your device can get infected with malware, but through Whatsapp.

[TryNinja]

How reliable is this site? I'm not familiar with this platform. I just tried searching some of my oldest emails and number, and all of them came out as "safe for now". But if my memory serves me right, among the mails one of them was exposed in the past. And upon logging in, it would say my password was exposed or found in a data breach (something like that). So I'm confused a little. Anyway I'm happy none came as red.

It only shows up if your email is in one of their catalogued breaches. Sometimes they don’t have the full data set since hackers just trade them (or sell) between each other.

have I been pwned is also a great tool to check if any other data was leaked. On my phone right now, but look it up.

[DYING_S0UL]

In this regard, I can suggest another renowned website.- https://databreach.com/breach

Thanks I looked it up here too, and I got zero results for data leaks! Seems like I'm safe (for now)

It only shows up if your email is in one of their catalogued breaches. Sometimes they don’t have the full data set since hackers just trade them (or sell) between each other.

have I been pwned is also a great tool to check if any other data was leaked. On my phone right now, but look it up.

Used this site before and I can confirm all of my accounts are fine.

We live in a society, where every system is digitalised, and that's a reality we cannot escape. From birth to death, we are trapped in this loop of technology. One way or another, if not all many of us will eventually fall victim to these data leaks. Even countries with the strongest technology are failing to safeguard users data, so how can we expect a third world country to do any better? We are basically helpless, and we have already seen some examples of it. Things like our personal info, retinal scans, fingerprints are out there for sales in Telegram (not even darkweb but TG..)! Yes I am talking about NID (National Identification Document) leak!

Only one thing I can say, these info stealer poses serious risk, sometimes it's unavoidable but I hope we do not come to see that day.

[Ronsbit]

I have been receiving messages fsnip

snip

I don't see any reason calling a strange person who's contact isn't saved in my phone. I believe courtesy demands that you introduce yourself before sending links or messages and if you don't I'll request your identity and the purpose of the link and without any clarity on the question, I'll ignore you totally, I've stopped clicking links even from someone I know without knowing the purpose and I don't even click links from my WhatsApp. I copy them to the browser before accessing them. We all need to take serious caution. Social engineering is getting more advanced as the days goes by.

I purposely called the contact for a reason. I have done this before when I received a message on WhatsApp from a friend.  Although the message was laughable, so I tried reaching out to my friend, and he said he was about to call me to inform me of the hack that his WhatsApp account had been hacked, and I should ignore any message coming from his WhatsApp account at that very moment till he retrieves his account back. That was how I knew his account was hacked, so I did not bother responding to the message again.

Sometimes it is good to call if such a message of such nature is coming from a contact you know, to verify if they were the one that sent you such a message, so you do not make any silly mistake thinking it was your friend who sent you the message.