A new phishing campaign is using WhatsApp messages to deliver malware, according to researchers at Microsoft. The attackers are attempting to trick users into installing malicious Visual Basic Script (VBS) files.
“The campaign relies on a combination of social engineering and living-off-the-land techniques,” Microsoft says. “It uses renamed Windows utilities to blend into normal system activity, retrieves payloads from trusted cloud services such as AWS, Tencent Cloud, and Backblaze B2, and installs malicious Microsoft Installer (MSI) packages to maintain control of the system. By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution.”
If a user falls for the phishing attack, the malicious VBS file creates a hidden folder on the infected system and creates renamed versions of legitimate Windows utilities to evade detection.
Microsoft offers the following advice to help organizations thwart these attacks:
- “Strengthen Endpoint Controls: Block or restrict execution of script hosts (wscript, cscript, mshta) in untrusted paths, and monitor for renamed or hidden Windows utilities being executed with unusual flags.
- “Enhance Cloud Traffic Monitoring” Inspect and filter traffic to cloud services like AWS, Tencent Cloud, and Backblaze B2, ensuring malicious payload downloads are detected even when hosted on trusted platforms.
- “Detect Persistence Techniques: Continuously monitor registry changes under HKLM\Software\Microsoft\Win and flag repeated tampering with User Account Control (UAC) settings as indicators of compromise.
- “Block direct access to known C2 infrastructure where possible, informed by your organization’s threat‑intelligence sources.
- “Educate Users on Social Engineering: Train employees to recognize suspicious WhatsApp attachments and unexpected messages, reinforcing that even familiar platforms can be exploited for malware delivery.”
Microsoft has the story.
