New Banking Trojan Uses WhatsApp to Compromise Brazilian Users

Cybersecurity researchers at Trustwave’s SpiderLabs have identified a new banking trojan, named Eternidade Stealer, specifically targeting bank customers in Brazil. This malware employs the widely-used messaging application WhatsApp to deceive users and extract their sensitive financial information.

How the Attack Unfolds

The attack begins with a seemingly innocuous message sent via WhatsApp. Criminals use social engineering tactics, crafting personalized messages in Portuguese, often including greetings tailored to the time of day, such as “good morning.” This approach enhances the message’s credibility, increasing the likelihood that victims will engage with it. When a user clicks on the attached malicious file, a sophisticated attack sequence is initiated.

Once activated, the malware takes control of the victim’s WhatsApp account. Its first action is to rapidly harvest the entire contact list, which is then transmitted to the attackers’ server. Subsequently, the malware automatically disseminates itself to all contacts in the victim’s list, utilizing a spreading program created with a Python script. This marks a notable shift from prior attacks, which often relied on different programming methods.

Targeted and Localized Techniques

According to information shared by Trustwave, the Eternidade Stealer is developed using Delphi, a programming language favored by cybercriminals in Brazil due to its efficiency and local popularity. The malware is highly localized, specifically targeting users operating with the Brazilian Portuguese language setting.

Before executing its primary attack, the malware conducts a thorough profile of the victim’s system. It checks for security software, such as Windows Defender or Kaspersky, to evade detection effectively. Additionally, the trojan retrieves instructions by accessing a specific email account via the IMAP protocol, allowing it to identify the current location of its control server. Researchers confirmed this behavior by accessing the threat actor’s email account, where they discovered weak, easily-compromised credentials.

Once operational, the malware monitors a range of financial applications. It actively scans for software linked to major Brazilian banks, including Itaú, Bradesco, and Caixa Econômica Federal, as well as popular payment services like MercadoPago. The trojan also targets cryptocurrency wallets and exchanges, such as MetaMask, Trust Wallet, and Binance.

When a victim accesses one of these targeted applications, the trojan deploys a fake login screen, or overlay, that mimics the legitimate page. Unaware of the deception, the victim inputs their sensitive information, which is then sent directly to the attackers.

To protect against this threat, users are advised to exercise caution with unexpected messages or attachments, even if they appear to come from known contacts. If you receive a suspicious file, it is safer to confirm its legitimacy by calling or texting the sender on a different platform before taking any action.