Banking Trojans Go Viral: WhatsApp Worm Spreads Astaroth Across Brazil Through Contact Auto-Messaging

A new WhatsApp-based worm is automatically spreading the Astaroth banking trojan across Brazil by harvesting victims' contact lists and sending malicious messages to every person they know. The campaign, dubbed "Boto Cor-de-Rosa" by researchers, represents a significant evolution in social engineering tactics, weaponizing trust relationships to achieve viral-like malware distribution at unprecedented scale. Unlike traditional phishing campaigns that rely on casting wide nets with spam emails, this attack leverages the inherent trust people place in messages from known contacts. When victims receive malicious ZIP files from friends or family members via WhatsApp, they're far more likely to open them, creating a self-propagating infection cycle that has primarily devastated Brazil's financial sector. ## What Happened The Astaroth banking trojan, active since 2015, has gained a powerful new distribution mechanism through a Python-based WhatsApp worm module. According to research from Acronis Threat Research Unit, the malware now automatically extracts victims' WhatsApp contact lists and sends malicious ZIP archives to every contact, creating a worm-like propagation pattern that spreads through social networks at machine speed. The attack begins when targets receive seemingly innocuous ZIP files through WhatsApp messages. These archives contain Visual Basic Scripts disguised as legitimate files. Once extracted and executed, the script downloads two distinct modules that work in tandem to maximize both spread and financial impact. The first module focuses entirely on propagation. Written in Python, it accesses the victim's WhatsApp data, extracts their complete contact list, and automatically forwards the malicious ZIP file to every contact. This creates an exponential spread pattern where each new victim becomes an unwitting distributor to their own network of trusted contacts. The second module handles the core banking trojan functionality. This background component continuously monitors web browsing activity and activates when victims visit banking websites. It captures login credentials, transaction details, and other financial information, enabling threat actors to conduct unauthorized transactions or sell the data on underground markets. Multiple security firms have tracked related campaigns. Sophos identified a parallel operation called STAC3150 that has been active since September 2024, with over 95% of infections concentrated in Brazil. Trend Micro also documented similar WhatsApp-based distribution of banking trojans including Maverick and Casbaneiro variants by the Water Saci threat group. The malware authors have implemented sophisticated tracking mechanisms to monitor their campaign's effectiveness. The code logs real-time statistics including successful message deliveries, failed attempts, and transmission rates measured in messages per minute, allowing operators to optimize their distribution strategy. ## Why It Matters This campaign represents a fundamental shift in malware distribution that security professionals must understand and prepare for. Traditional email-based phishing faces increasing resistance from spam filters, security awareness training, and user skepticism about unsolicited messages. By pivoting to WhatsApp and exploiting existing trust relationships, threat actors have found a way around these defensive measures. The choice of Brazil as the primary target reflects both opportunity and infrastructure realities. WhatsApp enjoys massive adoption rates in Brazil, with the platform serving as a primary communication method for both personal and business interactions. This widespread usage creates an ideal environment for worm propagation, as most potential victims have extensive contact lists filled with trusted relationships. The banking sector implications are particularly severe. Brazilian financial institutions face a sophisticated threat that combines social engineering with automated distribution at unprecedented scale. Unlike traditional banking trojans that might infect individual machines through email attachments, this worm can spread through entire social networks within hours, potentially compromising thousands of online banking customers simultaneously. The modular architecture also signals a concerning trend in malware development. The core Astaroth payload remains in Delphi, the installer uses Visual Basic Script, and the new worm functionality is written in Python. This multi-language approach allows threat actors to leverage the best tools for each component while making analysis and detection more difficult for security researchers. Financial institutions must also grapple with the reputational damage potential. When customers receive malicious files from trusted contacts, they may blame their banks for inadequate security rather than understanding the sophisticated social engineering at play. This can erode confidence in digital banking services and push users toward less secure alternatives. The automated nature of the propagation creates investigative challenges for law enforcement. Traditional botnet takedowns often focus on command and control infrastructure, but WhatsApp-based distribution relies on legitimate messaging platform infrastructure that cannot simply be shut down. ## What To Do Security teams must implement multi-layered defenses that account for this new attack vector. Traditional email security measures provide no protection against WhatsApp-based malware distribution, requiring organizations to rethink their security awareness and incident response strategies. Employee education programs need immediate updates to address messaging app threats. Security awareness training must emphasize that malicious files can arrive through any communication channel, including trusted messaging platforms and known contacts. Users should be taught to verify unexpected file attachments through secondary communication channels before opening them, even when they appear to come from family members or colleagues. Financial institutions should enhance their fraud detection capabilities to identify accounts showing signs of Astaroth infection. The trojan's web browsing monitoring and credential harvesting behaviors create detectable patterns in user account activity. Banks should implement additional authentication factors for high-value transactions and flag unusual access patterns for investigation. Endpoint detection and response tools require tuning to identify the specific behaviors associated with WhatsApp worm propagation. Security teams should monitor for unauthorized access to messaging app data, unusual file transmission patterns, and the presence of multi-language malware components. Network monitoring should flag bulk message transmission activities that deviate from normal user patterns. Organizations operating in Brazil or serving Brazilian customers should implement enhanced monitoring for Astaroth indicators of compromise. These include specific registry modifications, network communication patterns, and file system artifacts associated with the trojan's banking module. Threat intelligence feeds should be updated to include WhatsApp-based distribution indicators. Incident response procedures need updates to address the unique characteristics of worm propagation through messaging platforms. When Astaroth infections are identified, security teams must quickly assess whether the malware has accessed messaging data and potentially determine the scope of automatic propagation to the victim's contacts. For individual users, particularly in Brazil, immediate protective measures include enabling two-factor authentication on all financial accounts, avoiding the execution of unexpected file attachments regardless of source, and maintaining up-to-date antivirus protection with behavioral analysis capabilities. Users should also consider limiting the amount of personal information stored in messaging applications to reduce data exposure risks. ## Moving Forward The WhatsApp worm technique pioneered by Astaroth operators will likely inspire imitators across the cybercriminal ecosystem. Security professionals should expect similar campaigns targeting other regions with high messaging app adoption rates. The fundamental approach of weaponizing trust relationships through automated contact harvesting and message distribution represents a significant evolution in social engineering tactics that will require sustained defensive innovation. Organizations must begin treating messaging platforms as potential malware distribution vectors requiring the same level of security consideration traditionally reserved for email systems. This shift demands updated security policies, enhanced monitoring capabilities, and revised user education programs that address the reality of modern communication patterns. **