Astaroth has resurfaced in a new Brazilian campaign that utilizes a Python-based WhatsApp worm to spread its banking trojan automatically through contact lists. This evolution allows the malware to infect new devices by sending malicious ZIP files to a victim's friends and family, effectively creating a self-reinforcing loop of infection across the region.

A long-standing banking malware known as Astaroth has launched a new campaign in Brazil called Boto Cor-de-Rosa, marking a significant shift in its distribution strategy. Unlike previous versions that relied on different delivery methods, this iteration leverages WhatsApp Web to propagate like a worm. By gaining access to a user's account, the malware harvests the entire contact list and sends out malicious messages to every person it finds. This approach exploits the inherent trust people have in messages received from known contacts, making the infection far more likely to spread quickly within the local ecosystem.

The technical structure of the attack highlights a growing trend toward modular, multi-language development in cybercrime. While the core banking payload is still written in Delphi and the initial installer uses Visual Basic Script, the specific component responsible for the WhatsApp worm is written entirely in Python. This separation of duties allows the attackers to update individual parts of the malware independently. The attack typically begins when a user receives a ZIP file over WhatsApp; once opened, a disguised script triggers the download of the rest of the malicious modules onto the victim's computer.

Geographic targeting remains a central theme of this campaign, as the attackers focus almost exclusively on Brazilian users. By using lures that are culturally relevant and communicating in the local language, the campaign manages to blend into the daily digital lives of its targets. This regional specialization ensures that the malicious links and files appear legitimate to the average user, who is already accustomed to using WhatsApp for both personal and professional communication.

Once the system is compromised, the malware operates through two distinct modules that work in tandem. The propagation module handles the heavy lifting of spreading the virus by automatically messaging the victim’s contacts with the malicious ZIP file. This creates a continuous cycle where each new victim becomes a new source of distribution. Meanwhile, the banking module runs silently in the background, waiting for the user to visit specific financial websites. It monitors web traffic and activates credential-stealing features only when it detects that the user is attempting to access their bank account.

The discovery of this campaign by researchers at Acronis emphasizes the dangerous effectiveness of combining traditional banking trojans with modern social messaging platforms. By automating the delivery of the payload through a trusted medium like WhatsApp, the developers of Astaroth have bypassed many traditional email-based security filters. This dual-threat approach of rapid propagation and silent financial theft makes the Boto Cor-de-Rosa campaign a significant evolution in the landscape of regional cyber threats.

Source: Astaroth Banking Trojan Spreads In Brazil Via Whatsapp Worm