Post Now

WhatsApp Abused to Spread Astaroth Banking Malware in Large-Scale Infection Campaign

Image

WhatsApp Abused to Spread Astaroth Banking Malware in Large-Scale Infection Campaign

Attackers turn trusted messaging apps into self-propagating malware delivery channels

Severity

HIGH — Banking Malware / Worm-Like Propagation

News Overview

Cybersecurity researchers have uncovered a new malware campaign that abuses WhatsApp as a primary distribution channel to spread the Astaroth banking trojan. The operation targets Windows systems and relies on social trust within messaging platforms to accelerate infections.

The campaign demonstrates a shift in delivery tactics. Instead of relying only on phishing emails, attackers now weaponize instant messaging to bypass traditional security controls and reach victims directly.

Malware Background

Astaroth, also known as Guildma, is a long-running banking trojan active since 2015. It primarily targets financial users and focuses on credential theft, session hijacking, and fraudulent transactions. The malware has historically spread through phishing emails and malicious attachments.

In recent campaigns, attackers have modernized Astaroth’s delivery and propagation methods to improve reach and persistence.

WhatsApp-Based Infection Chain

The attack begins with malicious ZIP archives sent through WhatsApp messages. These files appear legitimate and often impersonate benign documents or utilities. Once a victim extracts and opens the archive, a disguised script launches the infection process.

The initial script downloads additional components and activates the malware chain. From this point, the infection spreads automatically through WhatsApp.

Multi-Stage Malware Architecture

The campaign uses a modular, multi-language design to evade detection and increase flexibility:

  • The core banking trojan remains written in Delphi
  • The installer relies on Visual Basic scripting
  • A newly introduced Python module handles WhatsApp-based propagation

This modular structure allows attackers to update or replace components without rebuilding the entire malware.

Worm-Like Propagation

One of the most concerning aspects of the campaign is its self-spreading behavior. The malware extracts the victim’s WhatsApp contact list and automatically sends malicious ZIP files to each contact.

This mechanism enables rapid, worm-like expansion across trusted social networks, increasing infection rates without user interaction beyond the initial execution.

Banking Data Theft Capabilities

In parallel, the banking module runs silently in the background. It monitors web activity and activates when victims access banking or financial websites. Once triggered, the trojan attempts to steal credentials, session data, and other sensitive information.

The malware also tracks its own propagation success. It records how many messages were sent, delivered, or failed, allowing attackers to measure campaign effectiveness in real time.

Key Risk

  • Messaging platforms bypass email security controls
  • Trust between contacts accelerates malware spread
  • Banking activity monitoring enables financial theft
  • Multi-language code complicates detection and analysis

Recommended Defensive Actions

  • Treat messaging apps as potential malware delivery channels
  • Block execution of scripts from compressed archives
  • Monitor endpoints for abnormal WhatsApp data access
  • Restrict scripting engines like PowerShell and VBScript
  • Educate users about unexpected files sent via chat apps

Organizations should expand threat models beyond email-based phishing to include instant messaging abuse.

Ashif