Cybersecurity researchers have uncovered a new campaign that leverages WhatsApp as a distribution vector for a Windows banking trojan called Astaroth, targeting users in Brazil. The campaign, codenamed “Boto Cor-de-Rosa” by Acronis Threat Research Unit, uses the widespread popularity of WhatsApp in the country to spread the malware.
The malware retrieves the victim’s WhatsApp contact list and automatically sends malicious messages to each contact, further propagating the infection in a worm-like manner. While the core Astaroth payload remains written in Delphi, the newly added WhatsApp-based worm module is implemented entirely in Python, showcasing the threat actors’ use of multi-language modular components.
The campaign delivers ZIP archives through WhatsApp messages, which, when extracted and opened, trigger the download of the next-stage components, including a Python-based propagation module and a banking module that monitors the victim’s web browsing activity and steals credentials when banking-related URLs are visited. The malware authors have also implemented a mechanism to track and report the propagation metrics in real-time, highlighting their sophisticated approach to spreading the Astaroth banking trojan across Brazil.