Brazilian cybercrime group Water Saci launches sophisticated phishing attacks using WhatsApp automation, ClickFix social engineering, and dynamically generated PDF court summons to deliver Casbaneiro and Horabot banking trojans to Spanish-speaking organizations.
A sophisticated phishing campaign orchestrated by the Brazilian cybercrime group Water Saci is targeting Spanish-speaking organizations across Latin America and Europe with a multi-pronged attack strategy that combines WhatsApp automation, ClickFix social engineering, and dynamically generated PDF lures to deliver banking trojans like Casbaneiro and Horabot.
The Attack Chain: From Email to Banking Trojan
The campaign begins with a deceptively simple phishing email that employs court summons-themed messages designed to create urgency and fear. Recipients are tricked into opening password-protected PDF attachments that appear legitimate but contain embedded malicious links.
When victims click these links, they're directed to malicious URLs that initiate an automatic download of a ZIP archive. This archive contains interim HTML Application (HTA) and VBS payloads that serve as the first stage of infection.
The VBS script performs environment and anti-analysis checks, including detection for Avast antivirus software, before retrieving next-stage payloads from remote servers. This multi-stage approach helps the malware evade detection by security solutions.
Dynamic PDF Generation: The ClickFix Innovation
One of the most innovative aspects of this campaign is its use of dynamically generated PDF documents. Rather than distributing static files with hardcoded links, the malware initiates an HTTP POST request to a remote PHP API, passing a randomly generated four-digit PIN.
The server then dynamically forges a bespoke, password-protected PDF impersonating a Spanish judicial summons, which is returned to the infected host. This dynamic generation makes each PDF unique and harder to detect through signature-based security tools.
The Malware Duo: Casbaneiro and Horabot
Once the infection chain is complete, two malware families are deployed:
Casbaneiro (also known as Metamorfo) is the primary payload, delivered as "staticdata.dll". This Delphi-based banking trojan contacts a command-and-control server to fetch PowerShell scripts that enable further propagation.
Horabot serves as a propagation mechanism, delivered as "at.dll". It functions as both a spam tool and account hijacking utility, targeting Yahoo, Live, and Gmail accounts to send phishing emails via compromised Microsoft Outlook accounts.
The Horabot component is particularly concerning because it leverages the victim's own email account to send tailored phishing emails with the newly generated PDF attachments to harvested contacts, creating a worm-like propagation effect.
Technical Sophistication and Evasion Techniques
The attackers employ several sophisticated techniques to bypass modern security controls:
- WhatsApp Automation: The group maintains a WhatsApp-centric attack infrastructure that automates the distribution of banking trojans like Maverick and Casbaneiro.
- ClickFix Social Engineering: This tactic tricks users into running malicious HTA files by presenting them as legitimate system prompts or security notifications.
- Anti-Analysis Checks: The malware includes checks for security software like Avast antivirus to avoid detection.
- Multi-Stage Loading: The use of AutoIt-based loaders and encrypted payload files with ".ia" or ".at" extensions adds complexity to the attack chain.
Attribution and Campaign History
The activity has been attributed to the Brazilian cybercrime threat actor tracked as Augmented Marauder and Water Saci. This e-crime group was first documented by Trend Micro in October 2025 and has since evolved its tactics significantly.
Water Saci has a history of using WhatsApp Web as a distribution vector for banking trojans, but recent campaigns have incorporated the ClickFix technique to enhance their social engineering capabilities. The group's ability to maintain both WhatsApp-centric and email-based attack paths demonstrates their operational sophistication and adaptability.
Geographic Scope and Target Demographics
The campaign specifically targets Spanish-speaking users in organizations across Latin America and Europe, indicating a focused approach on regions where Spanish is the primary language. This geographic targeting suggests the attackers have localized their social engineering content and understand the cultural context of their victims.
The dual focus on both retail/consumer users through WhatsApp automation and enterprise targets through email hijacking demonstrates the group's ability to operate across different market segments simultaneously.
Security Implications and Mitigation Strategies
This campaign highlights several critical security challenges:
- Email Security: Traditional email security solutions may struggle with dynamically generated content and password-protected attachments.
- User Awareness: The sophisticated social engineering techniques require enhanced user training to recognize phishing attempts.
- Multi-Vector Defense: Organizations need to defend against both email-based and messaging platform-based attacks.
- Behavioral Analysis: Security tools must focus on behavioral indicators rather than just static signatures.
Recommended mitigation strategies include:
- Implementing advanced email security solutions with sandboxing capabilities
- Conducting regular security awareness training focused on social engineering tactics
- Deploying endpoint detection and response (EDR) solutions with behavioral analysis
- Monitoring for unusual email activity from compromised accounts
- Restricting the execution of HTA and VBS files through Group Policy
The Evolving Threat Landscape
This campaign represents a significant evolution in banking trojan distribution methods. The integration of ClickFix social engineering, dynamic PDF generation, and WhatsApp automation demonstrates an adversary that is continually innovating to bypass modern security controls.
The attackers' ability to maintain a bifurcated, multi-pronged attack infrastructure while dynamically deploying different attack chains shows a level of operational sophistication that poses serious challenges for defenders.
As banking trojans become increasingly sophisticated in their delivery mechanisms, organizations must adopt a defense-in-depth approach that combines technical controls, user education, and continuous monitoring to effectively counter these evolving threats.
Keywords: Casbaneiro, Metamorfo, banking trojan, phishing campaign, Water Saci, ClickFix, dynamic PDF, WhatsApp automation, Horabot, social engineering, Latin America, cybersecurity, email security
Comments
Please log in or register to join the discussion