Microsoft researchers have uncovered a concerning campaign that exploits WhatsApp attachments to infiltrate Windows machines, ultimately granting attackers remote control. This method leverages social engineering tactics, where unsuspecting users receive what appears to be a benign attachment. However, this seemingly harmless file is a .vbs (Visual Basic Script) that can be executed by Windows.
WhatsApp, known for its desktop applications on both Windows and macOS, is primarily used as an extension of its mobile counterpart. While the desktop version enjoys a substantial user base, its adoption pales in comparison to mobile platforms. This discrepancy may contribute to the effectiveness of such attacks, as users may not be as vigilant when using the desktop application.
Last year, Meta addressed a vulnerability that allowed arbitrary code execution on Windows systems in all WhatsApp versions prior to 2.2450.6. However, the current attacks identified by Microsoft do not rely on software vulnerabilities but rather on the art of persuasion. By enticing victims to execute the malicious .vbs file, attackers can manipulate built-in Windows tools, renaming them to appear innocuous.
These legitimate tools are then misappropriated to download further malware. This technique, known as living off the land (LOTL), utilizes existing system resources to avoid detection, steering clear of introducing new malware binaries that could trigger security scans. The subsequent scripts are sourced from popular cloud providers, masking their true nature as they mimic normal network traffic to services like AWS, Tencent Cloud, or Backblaze.
To evade detection, the malware attempts to elevate its privileges to administrator status, modifying User Account Control (UAC) prompts and registry settings to facilitate silent system-level changes and ensure persistence across reboots. Ultimately, an unsigned MSI (Microsoft Installer) is deployed, establishing remote-access software and other payloads that grant the attacker continuous access to the compromised machine and its data.
How to stay safe
For home users and small businesses, several practical measures can be taken to enhance security:
- Do not open unsolicited attachments until you have verified with a trusted source that they are safe.
- Enable the “View File name extensions” option in Explorer to identify files that may masquerade as images but end in .vbs or .msi.
- Utilize an up-to-date real-time anti-malware solution to prevent unwanted connections and detect malicious files.
- Download software exclusively from the vendor’s official site and ensure that installers are signed.
- Pay attention to warning signs. Unexpected UAC prompts, new software appearing without consent, or a noticeable slowdown after opening a WhatsApp attachment should prompt an anti-malware scan, and be prepared to restore from a clean backup if necessary.
- Keep Windows and all other applications updated to guard against the exploitation of known vulnerabilities.
We don’t just report on threats—we remove them.
Cybersecurity risks should never extend beyond a headline. Protect your devices by downloading Malwarebytes today.
