Microsoft has issued a warning about a sophisticated new malware campaign targeting WhatsApp users.
Microsoft's security experts spotted a WhatsApp campaign at the end of February that makes use of malicious Visual Basic Script (VBS) files, tricking victims via social engineering techniques to run the files.
"Once executed, these scripts initiate a multi-stage infection chain designed to establish persistence and enable remote access," noted a blog post by the Microsoft Defender Security Research Team.
The attack blends into normal system activity by renaming real utilities before downloading dodgy payloads from normally trustworthy cloud services, including AWS and Tencent, taking control of the system by installing malicious Microsoft Installer (MSI) packages.
"By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution, " the post added.
If successful, attackers can escalate privileges and gain admin control, giving them the ability to stick around on compromised devices for a long time without being spotted.
To mitigate potential risks, Microsoft advised blocking execution of script hosts in untrusted paths, and monitoring for Windows utilities being renamed or hidden ones being executed.
More widely, Microsoft advised boosting monitoring of cloud traffic and registry changes, and — as ever — educating users about social engineering.
WhatsApp, Signal in the crosshairs
The advisory from the tech giant comes after the UK’s National Cyber Security Centre (NCSC) issued a similar warning to “high risk” individuals amid a fresh wave of attacks by state-backed threat actors.
According to the NCSC, hackers are flocking to popular messaging apps such as WhatsApp and Signal to conduct social engineering campaigns.
"The NCSC and international partners have seen growing malicious activity from Russia-based actors using messaging apps to target high-risk individuals," the security group said in a blog post.
The NCSC pointed to previous campaigns aimed at compromising government officials’ accounts by Chinese state-linked group, APT31, as well as attempts by the Russian-linked threat group Star Blizzard.
Beyond government officials, the NCSC said that high-risk individuals could include having a public profile but also anyone with "access to, or influence over, sensitive information".
These attacks could involve attempts to trick users into sharing login or account recovery codes, suddenly being a part of unexpected group chats, attempts to impersonate someone you know, and the usual phishing attempts using dodgy links or QR codes.
The NCSC said attackers could also add their device to a victim's account without them noticing.
Adam Boynton, Senior Enterprise Strategy Manager at Jamf, said the NCSC warning is a timely reminder that apps are only as secure as the device they are installed on — even if that app is well encrypted.
"Users often assume end-to-end encryption means end-to-end protection, but that’s not the case," Boynton said.
"If a device is compromised, or if a user is socially engineered into linking an attacker’s device to their account, encryption becomes irrelevant."
Staying safe
Be wary when messaging, regardless of the platform, the NCSC advised. Never share verification codes, don't click unexpected links or scan QR codes, and be aware that attackers may attempt to impersonate real contacts, so keep watch for unknown contacts or double entries.
To boost security in these apps, users are urged to enable two-step verification, or Registration Lock in Signal, and make use of passkeys local to devices in WhatsApp and Signal.
Turn on disappearing messages where possible to limit what's lost if an attacker does get access.
"However, you should have regard to any applicable record keeping requirements," the NCSC noted.
The organization advised against sharing sensitive information via apps, instead using corporate approved messaging services. As ever, ensure devices are well secured and updated to fix security flaws.
"For organizations with high-risk individuals, the lesson is clear: app-level security is not device-level security," added Boynton.
"Visibility into linked devices, enforced software updates, and ensuring sensitive communications happen on managed channels should already be baseline. The organisations best prepared for threats like these aren’t reacting to advisories — they’ve already built mobile security into their foundation."
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Advania UK strengthens senior leadership team with double appointment
Cisco Wireless CTO: Mastering connectivity is the key to driving AI success and enterprise productivity
Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secrets
Google issues warning over ShinyHunters-branded vishing campaigns
Thousands of Microsoft Teams users are being targeted in a new phishing campaign
Microsoft warns of rising AitM phishing attacks on energy sector
Warning issued as surge in OAuth device code phishing leads to M365 account takeovers
Amazon CSO Stephen Schmidt says the company has rejected more than 1,800 fake North Korean job applicants in 18 months – but one managed to slip through the net
Complacent Gen Z and Millennial workers are more likely to be duped by social engineering attacks
Hackers are abusing ConnectWise ScreenConnect, again
