Cybersecurity researchers have uncovered a new campaign targeting Brazilian users with a Delphi-based banking trojan called Eternidade Stealer. The attack uses a combination of social engineering and WhatsApp hijacking for distribution.
Attack Mechanism and Propagation
The campaign operates by distributing the malware in a worm like fashion via compromised WhatsApp accounts. The starting point is an obfuscated Visual Basic Script, written mainly in Portuguese, which drops a batch script. This script then executes two primary payloads:
- A Python script that automates the dissemination of the malware via WhatsApp Web.
- An MSI installer that uses an AutoIt script to launch the Eternidade Stealer.
The Python script leverages the open source WPPConnect project to communicate with a remote server, harvest a victim's entire contact list, and then automatically send a malicious attachment to all contacts using a time based template.
Technical Details and Targeting
The second stage of the attack begins with the MSI installer. It performs a geofencing check to see if the operating system language is Brazilian Portuguese. If not, the malware self terminates, indicating a hyper localized targeting effort. If the check passes, it scans the system for installed security products and then uses process hollowing to inject the Eternidade Stealer payload into "svchost.exe".
Eternidade Stealer is a credential stealer that continuously monitors active windows for strings related to banking portals, payment services, and cryptocurrency exchanges, including Bradesco, Binance, and MetaMask. This behavior ensures the attack triggers only in relevant financial contexts.
The malware uses the Internet Message Access Protocol (IMAP) to dynamically retrieve its command and control (C2) server addresses from an email inbox. This method, also used by a related trojan called Water Saci, allows the threat actors to easily update the C2 server, maintain persistence, and evade detection.
While the malware and its primary distribution vectors are focused on Brazil, infrastructure analysis showed connections originating from over six countries, including the U.S., Germany, and the U.K., suggesting the operational footprint and victim exposure are far more global.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
