WhatsApp phishing attack uses fake business docs to hack PCs

An ongoing malware campaign is targeting WhatsApp users in multiple countries with deceptive messages that push VBScript files, leading to remote system access.

The threat actor is using file names that indicate business and financial documents delivered by the victim's contacts, whose accounts had been compromised.

By downloading and executing the malicious attachments, the recipient starts an infection chain that leads to installing the legitimate ManageEngine Endpoint Central, which is used by IT administrators to manage systems from a centralized dashboard.

Telemetry data from cybersecurity company Kaspersky shows that the campaign spreads across Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia.

Attack chain

Kaspersky reports that the attacks begin with messages sent from compromised accounts that contain nothing but a heavily obfuscated VBS file.

These files are given names that make them appear to be financial reports, billing statements, account notices, and similar documents likely to draw the target’s attention and prompt them to open the file.

The filenames are also localized in multiple languages, further confirming the campaign’s global reach.

“Based on evidence collected from multiple victims through social media reports and submitted samples, we can conclude that the threat actor had gained access to several WhatsApp accounts and used them to distribute the malicious VBScript files to contacts on the compromised users’ contact lists,” Kaspersky explains.

“At the time of writing, the exact method used to compromise these WhatsApp accounts remains unknown.”

If the victim downloads and opens the file on Windows, the VBScript fetches two additional scripts from the attacker's infrastructure, which, in turn, disable UAC protections through Registry modifications and download a ZIP archive containing the ManageEngine Endpoint Central program.

The software is silently installed in the background and configured to connect to attacker-controlled management servers, giving them remote administration access on the victim’s computer.

Kaspersky notes that when the initial VBScript file is delivered via WhatsApp Web, it must be downloaded, but when opened in the WhatsApp Desktop client, it can be executed directly via Windows Script Host (wscript.exe).

While Kaspersky does not attribute the attacks to a specific threat actor, the researchers found signs of Chinese language use and infrastructure overlap with IPs previously associated with ValleyRAT and Gh0st RAT activity.

However, there is insufficient evidence for high-confidence attribution to be possible.

WhatsApp users are advised to treat files sent by contacts, even trusted ones, with caution and to always verify them through secondary means.

All downloaded files should be scanned with an up-to-date antivirus before executing them.