A Sophisticated Threat Targeting Brazilian Users

A highly complex malware campaign is targeting Brazilian users with a new banking Trojan named Maverick. The threat spreads on a mass scale using WhatsApp messages that contain a malicious LNK file hidden within a ZIP archive. The entire infection chain is fileless, meaning it operates exclusively in the system’s memory to evade detection by traditional antivirus software.

The attack begins when a victim opens the LNK file, which triggers a series of obfuscated PowerShell scripts. These scripts communicate with a command-and-control (C2) server, which verifies the request originates from the malware before delivering the next stage. This intricate process involves decoding and loading multiple .NET payloads directly into memory, including a loader that downloads two separate encrypted components.

Dual-Payload Attack: Spreading and Stealing

Maverick’s first payload is a WhatsApp infector module. Using the Selenium browser automation tool and the WPPConnect project, it hijacks the victim’s WhatsApp account to automatically send the malicious ZIP file to their contacts, creating a worm-like spreading effect. The second, and primary, payload is the Maverick Banker itself.

This component establishes persistence on the infected machine and begins monitoring browser activity. It specifically watches for users visiting a predefined list of Brazilian online banking sites. When a target site is accessed, it decrypts and executes the final “Maverick Agent.” This agent is responsible for keylogging, capturing screenshots, and exfiltrating sensitive financial information to the C2 server. Researchers note significant code overlaps and shared encryption techniques with the Coyote banking Trojan, suggesting Maverick is a major evolution or refactoring of the same malware family.

Source: https://securelist.com/maverick-banker-distributing-via-whatsapp/117715/