Maverick malware is a sophisticated banking trojan that targets WhatsApp Web users in Brazil, hijacking accounts to steal credentials from Latin American financial institutions. It spreads via malicious ZIP archives using VBScript and PowerShell, automating browser sessions to propagate without detection. Cybersecurity firms like CyberProof, Trend Micro, Sophos, and Kaspersky have analyzed its evasion tactics and ties to older threats like Coyote.
-
Maverick combines obfuscated scripts to download payloads like SORVEPOTEL worm, focusing on Brazilian users via time zone and language checks.
-
It automates Chrome to takeover WhatsApp sessions, sending personalized malicious messages to contacts without triggering alerts.
-
Linked to Water Saci actor, it monitors browser tabs for banking sites and deploys phishing pages, with overlaps to Coyote malware noted by experts.
Maverick malware threatens WhatsApp users in Brazil with account hijacking and credential theft—learn how it spreads via ZIP files and evades detection. Protect your accounts now with robust security measures. (152 characters)
What is Maverick Malware and How Does It Target WhatsApp Web Users?
Maverick malware is a banking trojan that infiltrates WhatsApp Web sessions to hijack accounts and target financial credentials from Brazilian institutions. Discovered by Trend Micro and linked to the Water Saci threat actor, it uses obfuscated VBScript and PowerShell to automate browser actions and spread via malicious ZIP archives. This self-propagating threat checks system settings to ensure deployment only in targeted regions, emphasizing its precision in attacks.
How Does Maverick Malware Hijack WhatsApp Accounts?
The infection begins with a ZIP archive downloaded through WhatsApp Web, containing an LNK shortcut that triggers obfuscated code to execute PowerShell commands. This loader contacts an attacker-controlled server to fetch payloads like the SORVEPOTEL worm and the Maverick banking trojan. It employs classic obfuscation techniques, such as split Base64 and UTF-16LE encoding, and self-terminates if reverse-engineering tools are detected, showcasing advanced anti-analysis measures.
CyberProof’s SOC team detailed in their investigation that the malware avoids .NET binaries, opting for VBScript named Orcamento.vbs tied to SORVEPOTEL. This script launches tadeu.ps1 in memory, which automates Chrome using ChromeDriver and Selenium to seize control of the WhatsApp session. By terminating existing Chrome processes and copying the legitimate profile, it accesses cookies and tokens to bypass authentication, granting hackers immediate access without QR code scans or alerts.
Once in control, the PowerShell payload displays a fake “WhatsApp Automation v6.0” banner to mask operations. It retrieves message templates from a command-and-control (C2) server, exfiltrates contacts, and sends personalized ZIP archives to each contact, incorporating time-based greetings and names for realism. Trend Micro highlighted the C2’s sophistication, enabling real-time pausing, resuming, and monitoring of propagation across infected systems.
Frequently Asked Questions
What Makes Maverick Malware a Threat to Brazilian WhatsApp Users?
Maverick malware specifically targets Brazil by verifying time zone, language, system region, and date formats before full deployment, restricting execution to Portuguese-language systems. It scans browser tabs for hard-coded URLs of Latin American financial institutions, then fetches phishing pages from remote servers to harvest credentials. This geofencing reduces noise and maximizes impact on high-value targets, as noted in analyses by CyberProof and Trend Micro. (98 words)
How Can Users Protect Themselves from Maverick Malware on WhatsApp Web?
To safeguard against Maverick malware, always verify unexpected file downloads on WhatsApp Web and avoid executing unknown ZIP archives or shortcuts. Enable two-factor authentication on WhatsApp, use antivirus software with real-time scanning, and keep browsers updated to block automation exploits. Regularly clear browser data and monitor for suspicious automation banners—if you spot unusual activity like automated messaging, immediately log out and scan your device for threats. (72 words)
Key Takeaways
- Sophisticated Delivery: Maverick uses combined VBScript, PowerShell, and browser automation in ZIP files to hijack WhatsApp sessions seamlessly.
- Targeted Attacks: Deployment is limited to Brazilian systems, focusing on financial credential theft from regional banks via phishing overlays.
- Evolving Threat: With ties to Coyote and Water Saci, monitor for updates—implement strong security hygiene to prevent propagation to contacts.
Conclusion
The Maverick malware campaign underscores the growing risks to WhatsApp Web users in Brazil, leveraging obfuscated loaders and session hijacking to enable credential theft from financial institutions. As cybersecurity firms like CyberProof, Trend Micro, Sophos, and Kaspersky continue to track its evolution from threats like Coyote, users must prioritize vigilance against malicious downloads. Staying informed and adopting proactive defenses will be crucial as attackers refine these tactics for broader impact in the digital landscape.
