A sophisticated new malware campaign is using WhatsApp to distribute malicious scripts that bypass Windows security controls, allowing attackers to gain persistent remote access to compromised systems.
Microsoft's Defender Security Research Team has uncovered a concerning malware campaign that leverages WhatsApp messages to distribute malicious Visual Basic Script (VBS) files, enabling attackers to hijack Windows systems through a sophisticated infection chain that bypasses User Account Control (UAC) protections.
The campaign, which began in late February 2026, represents a significant evolution in social engineering tactics combined with living-off-the-land techniques that make detection challenging. "The campaign relies on a combination of social engineering and living-off-the-land techniques," Microsoft researchers explained. "It uses renamed Windows utilities to blend into normal system activity, retrieves payloads from trusted cloud services such as AWS, Tencent Cloud, and Backblaze B2, and installs malicious Microsoft Installer (MSI) packages to maintain control of the system."
Infection Chain Analysis
The attack begins with threat actors distributing malicious VBS files through WhatsApp messages. While the exact lures used to trick users into executing these scripts remain unknown, the effectiveness of this delivery vector lies in its ability to bypass traditional email security filters.
Once executed, the VBS script creates hidden folders in "C:\ProgramData" and drops renamed versions of legitimate Windows utilities. Notably, "curl.exe" is renamed as "netapi.dll" and "bitsadmin.exe" is renamed as "sc.exe" – a tactic designed to evade detection by appearing as legitimate system processes.
"The use of legitimate tools and trusted platforms is a deadly combination, as it allows threat actors to blend in normal network activity and increase the likelihood of success of their attacks," Microsoft emphasized.
Persistence and Privilege Escalation
After establishing an initial foothold, the malware focuses on maintaining persistence and escalating privileges. The attackers download auxiliary VBS files hosted on AWS S3, Tencent Cloud, and Backblaze B2 using the renamed binaries, creating a multi-stage infection process.
"Once the secondary payloads are in place, the malware begins tampering with User Account Control (UAC) settings to weaken system defenses," Microsoft reported. "It continuously attempts to launch cmd.exe with elevated privileges, retrying until UAC elevation succeeds or the process is forcibly terminated, modifying registry entries under HKLM\Software\Microsoft\Win, and embedding persistence mechanisms to ensure the infection survives system reboots."
This UAC bypass technique is particularly concerning as it allows the attackers to gain elevated privileges without requiring user interaction. The combination of registry manipulation with UAC bypass techniques ultimately enables the deployment of unsigned MSI installers.
Remote Access and Data Exfiltration
The final stage of the infection involves deploying legitimate remote access tools like AnyDesk, which the attackers have compromised for malicious purposes. This provides them with persistent remote access to the infected systems, enabling data exfiltration or deployment of additional malware as needed.
"This campaign demonstrates a sophisticated infection chain combining social engineering (WhatsApp delivery), stealth techniques (renamed legitimate tools, hidden attributes), and cloud-based payload hosting," Microsoft concluded in their analysis.
Detection and Mitigation Strategies
Organizations should implement several security measures to protect against this threat:
User Education: Train employees to recognize suspicious messages, even those received through seemingly secure platforms like WhatsApp. Emphasize the dangers of executing unsolicited scripts or files.
Endpoint Protection: Deploy advanced endpoint detection and response (EDR) solutions capable of detecting anomalous process behavior and unusual file modifications.
Application Control: Implement application whitelisting to prevent execution of unauthorized scripts and limit the use of system utilities like PowerShell and WScript.
Network Monitoring: Monitor for suspicious network connections to cloud storage services, particularly unusual data transfers to AWS S3, Tencent Cloud, or Backblaze B2.
UAC Configuration: Consider configuring UAC to prompt for credentials on secure desktops to make bypass attempts more difficult.
Regular Patching: Ensure all systems are up to date with the latest security patches, particularly for Windows and any installed remote access tools.
Indicators of Compromise
Security teams should monitor for the following indicators:
- Presence of hidden folders in "C:\ProgramData"
- Renamed system utilities (curl.exe as netapi.dll, bitsadmin.exe as sc.exe)
- Suspicious registry modifications under HKLM\Software\Microsoft\Win
- Unusual MSI package installations
- Network connections to cloud storage services
- Unwanted installations of remote access tools
This campaign highlights the evolving sophistication of threat actors who increasingly leverage legitimate platforms, tools, and services to conduct their attacks. The combination of social engineering through popular messaging apps, abuse of trusted cloud services, and sophisticated UAC bypass techniques creates a potent threat that requires layered security defenses and heightened user awareness.
Comments
Please log in or register to join the discussion