Threat hunters have uncovered similarities between a banking malware called Coyote and a newly disclosed malicious program dubbed Maverick that has been propagated via WhatsApp.
According to a report from CyberProof, both malware strains are written in .NET, target Brazilian users and banks, and feature identical functionality to decrypt, targeting banking URLs and monitor banking applications. More importantly, both include the ability to spread through WhatsApp Web.
Maverick was first documented by Trend Micro early last month, attributing it to a threat actor dubbed Water Saci. The campaign involves two components: A self-propagating malware referred to as SORVEPOTEL that's spread via the desktop web version of WhatsApp and is used to deliver a ZIP archive containing the Maverick payload.
The malware is designed to monitor active browser window tabs for URLs that match a hard-coded list of financial institutions in Latin America. Should the URLs match, it establishes contact with a remote server to fetch follow-on commands to gather system information and serve phishing pages to steal credentials.
Cybersecurity firm Sophos, in a subsequent report, was the first to raise the possibility of whether the activity could be related to prior reported campaigns that disseminated Coyote targeting users in Brazil and if Maverick is an evolution of Coyote. Another analysis from Kaspersky found that Maverick did contain many code overlaps with Coyote, but noted it's treating it as a completely new threat targeting Brazil en masse.
The latest findings from CyberProof show that the ZIP file contains a Windows shortcut (LNK) that, when launched by the user, runs cmd.exe or PowerShell to connect to an external server ("zapgrande[.]com") to download the first-stage payload. The PowerShell script is capable of launching intermediate tools designed to disable Microsoft Defender Antivirus and UAC, as well as retrieve a .NET loader.
The loader, for its part, features anti-analysis techniques to check for the presence of reverse engineering tools and self-terminate if found. The loader then proceeds to download the main modules of the attack: SORVEPOTEL and Maverick. It's worth mentioning here that Maverick is only installed after ensuring that the victim is located in Brazil by checking the time zone, language, region, and date and time format of the infected host.
CyberProof said it also found evidence of the malware being used to single out hotels in Brazil, indicating a possible expansion of targeting.
The disclosure comes as Trend Micro detailed Water Saci's new attack chain that employs an email-based command-and-control (C2) infrastructure, relies on multi-vector persistence for resilience, and incorporates several advanced checks to evade detection, enhance operational stealth, and restrict execution to only Portuguese-language systems.
"The new attack chain also features a sophisticated remote command-and-control system that allows threat actors real-time management, including pausing, resuming, and monitoring the malware's campaign, effectively converting infected machines into a botnet tool for coordinated, dynamic operations across multiple endpoints," the cybersecurity company said in a report published late last month.
 |
| New Water Saci attack chain observed |
The infection sequence eschews .NET binaries in favor of Visual Basic Script (VB Script) and PowerShell to hijack WhatsApp browser sessions and spread the ZIP file via the messaging app. Similar to the previous attack chain, the WhatsApp Web hijack is performed by downloading ChromeDriver and Selenium for browser automation.
The attack is triggered when a user downloads and extracts the ZIP archive, which includes an obfuscated VBS downloader ("Orcamento.vbs" aka SORVEPOTEL), which, in turn, issues a PowerShell command to download and execute a PowerShell script ("tadeu.ps1") directly in memory.
This PowerShell script is used to take control of the victim's WhatsApp Web session and distribute the malicious ZIP files to all contacts associated with their account, while also displaying a deceptive banner named "WhatsApp Automation v6.0" to conceal its malicious intent. Furthermore, the script contacts a C2 server to fetch message templates and exfiltrate contact lists.
"After terminating any existing Chrome processes and clearing old sessions to ensure clean operation, the malware copies the victim's legitimate Chrome profile data to its temporary workspace," Trend Micro said. "This data includes cookies, authentication tokens, and the saved browser session."
 |
| Water Saci campaign timeline |
"This technique allows the malware to bypass WhatsApp Web's authentication entirely, gaining immediate access to the victim's WhatsApp account without triggering security alerts or requiring QR code scanning."
The malware, the cybersecurity company added, also implements a sophisticated remote control mechanism that allows the adversary to pause, resume, and monitor the WhatsApp propagation in real-time, effectively turning it into malware capable of controlling the compromised hosts like a bot.
As for how it actually distributes the ZIP archive, the PowerShell code iterates through every harvested contact and checks for a pause command prior to sending personalized messages by substituting variables in the message template with time-based greetings and contact names.
Another significant aspect of SORVEPOTEL is that it leverages IMAP connections to terra.com[.]br email accounts using hardcoded email credentials to connect to the email account and retrieve commands rather than using a traditional HTTP-based communication. Some of these accounts have been secured using multi-factor authentication (MFA) to prevent unauthorized access.
This added security layer is said to have introduced operational delays since each login requires the threat actor to manually enter a one-time authentication code to access the inbox and save the C2 server URL used to send the commands. The backdoor then periodically polls the C2 server for fetching the instruction. The list of supported commands is as follows -
- INFO, to collect detailed system information
- CMD, to run a command via cmd.exe and export the results of the execution to a temporary file
- POWERSHELL, to run a PowerShell command
- SCREENSHOT, to take screenshots
- TASKLIST, to enumerate all running processes
- KILL, to terminate a specific process
- LIST_FILES, to enumerate files/folders
- DOWNLOAD_FILE, to download files from infected system
- UPLOAD_FILE, to upload files to infected system
- DELETE, to delete specific files/folders
- RENAME, to rename files/folders
- COPY, to copy files/folders
- MOVE, to move files/folders
- FILE_INFO, to get detailed metadata about a file
- SEARCH, to recursively search for files matching specified patterns
- CREATE_FOLDER, to create folders
- REBOOT, to initiate a system restart with 30-second delay
- SHUTDOWN, to initiate a system shutdown with 30-second delay
- UPDATE, to download and install an updated version of itself
- CHECK_EMAIL, to check the attacker-controlled email for new C2 URLs
The widespread nature of the campaign is driven by the popularity of WhatsApp in Brazil, which has over 148 million active users, making it the second largest market in the world after India.
"The infection methods and ongoing tactical evolution, along with the region-focused targeting, indicate that Water Saci is likely linked to Coyote, and both campaigns operate within the same Brazilian cybercriminal ecosystem," Trend Micro said, describing the attackers as aggressive in "quantity and quality."
"Linking the Water Saci campaign to Coyote reveals a bigger picture that exhibits a significant shift in the banking trojan's propagation methods. Threat actors have transitioned from relying on traditional payloads to exploiting legitimate browser profiles and messaging platforms for stealthy, scalable attacks."
