Full Report
Direct messages sent via WhatsApp are being used to distribute malicious Visual Basic Script (VBScript) files that lead to the installation of legitimate Remote Monitoring and Management (RMM) software. Per findings from Kaspersky, the active campaign is targeting users of WhatsApp Desktop and WhatsApp Web across Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, Australia,
Analysis Summary
# Tool/Technique: WhatsApp-Distributed VBScript RMM Campaign
## Overview
This campaign utilizes social engineering via WhatsApp Direct Messages to deliver malicious Visual Basic Script (VBScript) files. These scripts act as downloaders or droppers designed to install legitimate Remote Monitoring and Management (RMM) tools, which are then repurposed by attackers for unauthorized persistent access and data exfiltration.
## Technical Details
- **Type:** Malware Downloader / Living-off-the-Land (LotL)
- **Platform:** Windows (Targeting users of WhatsApp Desktop and WhatsApp Web)
- **Capabilities:** Script-based execution, automated downloading of secondary payloads, installation of legitimate RMM software to bypass security controls.
- **First Seen:** Reported active in 2024.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.003 - Phishing: Spearphishing Service (WhatsApp)
- **TA0002 - Execution**
- T1059.005 - Command and Scripting Interpreter: Visual Basic
- **TA0003 - Persistence**
- T1219 - Remote Access Software
- **TA0005 - Defense Evasion**
- T1202 - Indirect Command Execution
- T1036 - Masquerading (Using legitimate RMM tools)
## Functionality
### Core Capabilities
- **Social Engineering Delivery:** Distributes malicious `.vbs` files disguised as legitimate documents or files via WhatsApp.
- **Payload Dropping:** Once executed, the VBScript connects to a remote server to fetch installer packages.
- **RMM Deployment:** Automatically installs legitimate RMM clients (e.g., AnyDesk, ScreenConnect, or Atera) to grant the attacker full remote control.
### Advanced Features
- **Abuse of Trust:** By using legitimate RMM software, the attackers can often bypass traditional antivirus (AV) or Endpoint Detection and Response (EDR) solutions that may whitelist these administrative tools.
- **Cross-Platform Delivery:** Targets users via the WhatsApp Desktop application and the Web browser interface, broadening the attack surface.
## Indicators of Compromise
*(Note: Specific hashes and IPs depend on specific campaign iterations; the following are representative of this TTP.)*
- **File Names:** `Document.vbs`, `Invoice.vbs`, `Order_Details.vbs`, `WhatsApp_Image.vbs`
- **Network Indicators:**
- hxxps[://]bit[.]ly/[REDACTED] (Shortened URLs for payload delivery)
- hxxp[://]104[.]xxx[.]xxx[.]xxx/ (Direct IP downloads of RMM installers)
- **Behavioral Indicators:**
- `WScript.exe` or `CScript.exe` spawning network connections.
- Unexpected installation of RMM software in user-profile directories (`%AppData%`).
- Outbound connections to known RMM provider infrastructure from non-administrative accounts.
## Associated Threat Actors
- **Unknown:** Currently attributed to financially motivated or general cybercriminal campaigns targeting multiple regions (Malaysia, Brazil, India, UK, etc.).
## Detection Methods
- **Signature-based:** Monitoring for VBScript files with high entropy or those containing encoded URL strings and `Powershell` invocation commands.
- **Behavioral detection:**
- Alert on `wscript.exe` launching `powershell.exe` or `cmd.exe`.
- Monitor for the execution of RMM installers that did not originate from official IT deployment tools.
- **YARA Rule (Conceptual):**
yara
rule WhatsApp_VBS_Downloader {
strings:
$vbs_header = "Visual Basic Script"
$s1 = "WScript.CreateObject(\"WScript.Shell\")"
$s2 = ".DownloadFile("
$s3 = "powershell"
condition:
uint16(0) == 0x5356 and all of them
}
## Mitigation Strategies
- **Prevention:**
- Disable `WScript.exe` and `CScript.exe` via Group Policy if not required for business operations.
- Block the execution of `.vbs` and `.js` file attachments at the endpoint level.
- **Hardening:**
- Implement an **Application Allowlist** to prevent unauthorized RMM tools from running.
- Educate users on the risks of downloading and opening files sent via instant messaging platforms like WhatsApp.
## Related Tools/Techniques
- **Living off the Land (LotL):** Using built-in OS components to execute malicious code.
- **RMM Abuse:** Similar to campaigns involving "Tactical RMM" or "NetSupport Manager" for unauthorized access.
- **Browser-based Phishing:** Techniques targeting WhatsApp Web session tokens or file delivery.