Microsoft has issued a warning about a sophisticated multi-stage malware campaign abusing WhatsApp messages to deliver malicious MSI installers, allowing attackers to gain remote access to victims' systems and steal data.
Microsoft has issued an urgent warning about a sophisticated malware campaign that abuses WhatsApp messages to deliver malicious Microsoft Installer (MSI) packages, giving attackers complete control over victims' machines and access to all their data.
How the Attack Works
The campaign, which began in late February, starts with a WhatsApp message containing malicious Visual Basic Script (VBS) files. While Microsoft hasn't disclosed the exact social engineering tactics used, the attack likely exploits compromised WhatsApp sessions so messages appear to come from trusted contacts, or uses urgent lures that prompt recipients to act quickly without thinking.
Once the victim executes the malicious file, the script creates hidden folders in C:\ProgramData and drops renamed versions of legitimate Windows utilities. For example, curl.exe is renamed as netapi.dll and bitsadmin.exe as sc.exe. This "living off the land" technique allows attackers to blend in with normal network activity by using legitimate system tools for malicious purposes.
Critical Security Flaw in the Attack
Microsoft researchers discovered a significant mistake made by the attackers: the renamed binaries retain their original Portable Executable (PE) metadata, including the OriginalFileName field that still identifies them as curl.exe and bitsadmin.exe. This metadata discrepancy provides a valuable detection signal for security solutions like Microsoft Defender, which can flag instances where a file's name doesn't match its embedded metadata.
Multi-Stage Payload Delivery
The malware then downloads secondary VBS payloads (auxs.vbs, 2009.vbs) from trusted cloud services including AWS, Tencent Cloud, and Backblaze B2. Using reputable cloud providers makes it harder to distinguish between legitimate enterprise activity and malicious downloads.
The attack chain continues with the malware altering User Account Control (UAC) settings and attempting to launch cmd.exe with elevated privileges. This persistence mechanism ensures the malware survives system reboots unless forcibly terminated.
Final Payload and Consequences
In the final stage, attackers deploy malicious MSI installers including Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi. While these installers use real tools like AnyDesk to hide in plain sight, none are digitally signed - another red flag for defenders.
Once installed, these payloads give attackers remote access to victims' systems, enabling them to steal sensitive data, deploy additional malware such as ransomware, or use infected machines as part of larger attack networks.
Protection Recommendations
Microsoft recommends several defensive measures:
- Train employees to recognize suspicious WhatsApp attachments and unexpected messages
- Be aware that even familiar platforms can be exploited for malware delivery
- Monitor for unsigned MSI installers and metadata discrepancies in system files
- Use security solutions that can detect "living off the land" techniques
The campaign highlights the growing sophistication of social engineering attacks and the importance of user education in cybersecurity defense. As attackers increasingly abuse trusted communication platforms and legitimate system tools, organizations must adopt multi-layered security approaches that combine technical controls with comprehensive user training.
This attack serves as a reminder that no platform is immune to exploitation, and users should exercise caution with unexpected messages and attachments, even from known contacts. The combination of social engineering, legitimate tool abuse, and trusted cloud services makes this campaign particularly dangerous and difficult to detect using traditional security measures.
Comments
Please log in or register to join the discussion