WHATSAPP WORMCHAIN — Maverick and SORVEPOTEL: The Malware That Turns Chats Into a Weapon

Threat Summary

Category: Financially Motivated Malware / Messaging-Propagated Banking Trojan
Features: WhatsApp Web session hijack, Chrome profile theft, PowerShell in-memory execution, .NET loader, banking credential theft, geofencing to Brazil, automated propagation.
Delivery Method: ZIP archive → LNK or VBS execution → PowerShell loader → ChromeDriver automation → WhatsApp Web hijack → contact-chain propagation.
Threat Actor: Believed to operate within the Brazilian cybercriminal ecosystem known as Water Saci — a cluster linked to the earlier Coyote banking trojan. Attribution remains under investigation.

---

Security analysts have confirmed that a new malware strain called Maverick is spreading across Brazil by exploiting one of the country’s most trusted communication tools — WhatsApp Web.

The attack begins when a victim receives and opens a ZIP archive disguised as a legitimate document. Inside sits a shortcut (.lnk) and a VBScript (Orcamento.vbs) that silently launch PowerShell commands. These commands run entirely in memory, avoiding disk detection while downloading an additional script (tadeu.ps1) from an external server.

That script terminates active Chrome sessions, copies the user’s legitimate browser profile — including cookies and authentication tokens — and then deploys ChromeDriver and Selenium automation tools to hijack the victim’s WhatsApp Web session. Within minutes, the malware uses that session to message the victim’s entire contact list, sending the same infected ZIP file and multiplying the attack through trusted personal networks.

To the user, the only visible clue is a fake overlay titled “WhatsApp Automation v6.0.” Behind that banner, the malware quietly takes over the browser, reads messages, and exfiltrates contacts and credentials.

Once it confirms the system is located in Brazil — checking the local time zone, language, and date format — the loader drops its main payloads: SORVEPOTEL, which handles propagation and remote access, and Maverick, a banking trojan that monitors browser tabs for URLs belonging to major financial institutions.

When a banking URL appears, Maverick connects to a remote command-and-control server, retrieves a phishing page or overlay, and steals login data in real time. Its operators can pause, resume, or control the malware’s spread live — effectively managing a botnet built on social trust.

Researchers from multiple cybersecurity firms confirmed strong code overlap between Maverick and the older Coyote banking malware but note that Maverick introduces new propagation logic, more robust geofencing, and automation frameworks that make detection harder.

---

Infrastructure at Risk

• Financial Sector: Targeted credential theft and session hijacking against Brazil’s largest banks.
• Hospitality and Retail: Secondary infections observed in hotels, exposing payment systems and guest data.
• Enterprise Environments: Companies that use WhatsApp Web internally risk lateral infection through employee contact lists.
• Digital Identity Systems: Compromised cookies and tokens can be reused to bypass MFA protections and session validation.

---

Policy and Allied Response

Brazil’s Computer Emergency Response Team (CERT-BR) and partner institutions are expected to issue further guidance as telemetry expands. Financial institutions have already begun tightening MFA and session-replay protections. Messaging-platform providers face mounting pressure to detect automated traffic patterns on WhatsApp Web and restrict browser-profile re-use to prevent mass self-replication.

This campaign illustrates how the line between cyber and social engineering has vanished: the infection doesn’t travel through spam or exploit kits — it moves through people.

---

Vendor Defense / Mitigation

• Detection: Watch for PowerShell executions with encoded commands, ChromeDriver launches, or abrupt Chrome terminations followed by automation.
• Containment: Isolate infected machines, invalidate session tokens for WhatsApp and web banking, and enforce full password resets.
• Remediation: Delete malicious scripts, rebuild browser profiles from clean backups, reissue credentials, and enable hardware-based MFA wherever possible.
• Platform Countermeasures: Browser vendors and messaging platforms should enforce stricter session-token handling and flag automated WebDriver activity.

---

Forecast — 30 Days

• Maverick operators are expected to expand targeting during Brazil’s holiday season, exploiting increased online banking activity.
• Propagation methods could shift to other messaging platforms if WhatsApp enforces automation limits.
• Fraudulent transactions and credential-stuffing campaigns against Latin American financial institutions are likely to spike.
• Vendors will release updated detection signatures, but behavioral analytics will remain the most effective defense.

---

TRJ Verdict

Maverick is not a standard banking trojan — it’s the first large-scale malware to weaponize social connectivity as its core transport layer.
By fusing automation tools with human trust networks, it bypasses the noise of phishing campaigns and moves invisibly through real conversations.

This marks a shift from technical exploitation to behavioral exploitation — where the malware’s strength isn’t in code complexity but in credibility.
Defending against it will require more than antivirus updates; it will demand a new security culture that treats browser sessions, tokens, and human contact chains as critical infrastructure.

When malware learns to speak through people, the perimeter is no longer the machine — it’s the message.

---

---

---

---

---

---

🔥 NOW AVAILABLE! 🔥

‎👉 Eclipsera – Apple Music

---

---

---

---