- 878
- 242
Cybersecurity researchers from the Acronis Threat Research Unit have detected a new wave of cyberattacks in which WhatsApp (owned by Meta, which is designated as extremist and banned in Russia) has been used as a distribution channel for the Astaroth banking Trojan. The researchers have given it the catchy codename Boto Cor-de-Rosa.
The scheme goes something like this: after infecting a computer, the malware gains access to the victim's WhatsApp contact list and automatically sends malicious messages to all contacts, continuing the infection chain without user intervention.
Meanwhile, Astaroth (aka Guildma) itself remains "classic": the main module is still written in Delphi, and the installer uses Visual Basic Script. The new malware is a worm-like module written in Python, specifically responsible for spreading via WhatsApp. According to Acronis, this is a clear example of how malware authors are increasingly moving toward a modular architecture and a mix of programming languages.
Astaroth has been known since 2015 and has long specialized in attacks against users in Latin America, primarily Brazil. Its goal remains unchanged: stealing banking data. In 2024, the malware was actively distributed via phishing emails, but now the focus is increasingly shifting to messaging apps. Trend Micro
previously described similar campaigns using WhatsApp to distribute the banking Trojans Maverick and Casbaneiro . Astaroth simply fits this trend. According to Acronis, the attack begins with a ZIP archive sent via WhatsApp. Inside is a Visual Basic Script disguised as a harmless file. Once the user runs it, a chain of downloads begins, eventually causing two key modules to appear on the system:
The scheme goes something like this: after infecting a computer, the malware gains access to the victim's WhatsApp contact list and automatically sends malicious messages to all contacts, continuing the infection chain without user intervention.
Meanwhile, Astaroth (aka Guildma) itself remains "classic": the main module is still written in Delphi, and the installer uses Visual Basic Script. The new malware is a worm-like module written in Python, specifically responsible for spreading via WhatsApp. According to Acronis, this is a clear example of how malware authors are increasingly moving toward a modular architecture and a mix of programming languages.
Astaroth has been known since 2015 and has long specialized in attacks against users in Latin America, primarily Brazil. Its goal remains unchanged: stealing banking data. In 2024, the malware was actively distributed via phishing emails, but now the focus is increasingly shifting to messaging apps. Trend Micro
previously described similar campaigns using WhatsApp to distribute the banking Trojans Maverick and Casbaneiro . Astaroth simply fits this trend. According to Acronis, the attack begins with a ZIP archive sent via WhatsApp. Inside is a Visual Basic Script disguised as a harmless file. Once the user runs it, a chain of downloads begins, eventually causing two key modules to appear on the system:
- A Python distribution module that collects WhatsApp contacts and sends them a new malicious archive;
- A banking module that runs in the background and monitors visits to banking websites to intercept login credentials.