A Stealthy Serpent in Your Chats: The Boto Cor-de-Rosa Campaign Unveiled
A sophisticated new cyber campaign, codenamed “Boto Cor-de-Rosa” by Acronis Threat Research Unit, is leveraging the ubiquitous WhatsApp messaging platform to unleash the notorious Astaroth banking trojan across Brazil. This alarming development highlights a growing trend among threat actors to exploit popular communication channels, turning trusted contacts into unwitting vectors for widespread financial fraud.
How the WhatsApp Worm Infiltrates and Spreads Its Malice
The Deceptive Lure
The campaign begins with a seemingly innocuous ZIP archive distributed via WhatsApp messages. Once a victim extracts and opens this archive, they encounter a Visual Basic Script cleverly disguised as a benign file. Executing this script is the critical misstep, triggering the download of subsequent malicious components and initiating the full compromise of the system.
Multi-Language Modular Components: A Dual Threat
Cybersecurity researchers note the threat actors’ increasing reliance on multi-language modular components, showcasing a sophisticated approach. While the core Astaroth payload, also known as Guildma, remains rooted in Delphi and its installer uses Visual Basic script, the newly integrated WhatsApp-based worm module is entirely implemented in Python. This modularity allows for specialized functions:
- Python-based Propagation Module:
This insidious component automatically retrieves the victim’s WhatsApp contact list and then sends malicious messages, containing the same deceptive ZIP file, to each contact. This effectively transforms the victim’s device into a node for a self-propagating worm, ensuring rapid and extensive spread of the malware.
- Banking Module: Operating silently in the background, this module vigilantly monitors the victim’s web browsing activity. When banking-related URLs are visited, it springs into action, harvesting sensitive credentials and enabling the attackers to achieve significant financial gain.
Tracking the Tally of Compromise
Adding another layer of sophistication, the malware author has implemented a built-in mechanism to track and report propagation metrics in real time. This includes logging statistics such as the number of messages successfully delivered, failed attempts, and the sending rate, providing the attackers with crucial insights into the effectiveness and reach of their campaign.
Astaroth’s Persistent Shadow and a Growing Trend in Brazil
Astaroth, or Guildma, is a long-standing banking malware, first detected in 2015, with a primary focus on users in Latin America, particularly Brazil, for data theft. In recent years, threat clusters like PINEAPPLE and Water Makara have been observed using phishing emails to propagate this malware. However, the shift to WhatsApp as a delivery vehicle marks a significant escalation, fueled by the messaging platform’s widespread use in Brazil.
This isn’t an isolated incident. The use of WhatsApp for banking trojan distribution is a tactic gaining alarming traction. Last month, Trend Micro detailed how Water Saci relied on WhatsApp to spread Maverick and a variant of Casbaneiro. Similarly, Sophos reported on a multi-stage malware distribution campaign, STAC3150, targeting WhatsApp users in Brazil with Astaroth itself, active since at least late 2025. The impact is heavily concentrated, with over 95% of affected devices located in Brazil, followed by a lesser extent in the U.S. and Austria.
The latest findings from Acronis underscore this dangerous trend, where malicious ZIP files delivered through WhatsApp messages serve as the initial infection vector, leading to a sophisticated, multi-stage compromise.
Protecting Yourself: Vigilance is Key
As cybercriminals continue to innovate their attack vectors, user vigilance becomes paramount. Always exercise extreme caution with unsolicited messages, even if they appear to come from known contacts. Verify the legitimacy of any attachments before opening them, and ensure your cybersecurity software is up-to-date. The digital landscape demands constant awareness to safeguard your personal and financial information from these evolving threats.
For more details, visit our website.
Source: Link
