Microsoft warned on Tuesday of a sophisticated cyberattack campaign utilizing WhatsApp to deliver malicious Microsoft Installer (MSI) packages. The operation, which began in late February, uses social engineering to trick users into executing scripts that grant attackers full control over their systems. This breach allows criminals to access all local data and potentially deploy further malware.
The Multi-Stage Attack Chain
The attack begins when a recipient receives a WhatsApp message containing a malicious Visual Basic Script (VBS) file. According to a report by The Register, attackers likely use compromised accounts to make the messages appear as though they come from known contacts. Once the user executes the file, the script creates hidden folders in the system's ProgramData directory.
To avoid detection, the malware employs a technique known as "living off the land" by renaming legitimate Windows utilities. For instance, the tool curl.exe is renamed as netapi.dll, while bitsadmin.exe is rebranded as sc.exe. This allows the malicious activity to blend in with standard network traffic and system processes.
"Notably, these renamed binaries retain their original PE (Portable Executable) metadata, including the OriginalFileName field which still identifies them as curl.exe and bitsadmin.exe," Microsoft researchers wrote in a Tuesday blog.
Infrastructure and Remote Access
The attackers utilize trusted cloud services, including AWS, Tencent Cloud, and Backblaze B2, to download secondary payloads. This strategy further obscures the attack by making the downloads appear as legitimate enterprise cloud activity. The malware then attempts to elevate its privileges by altering User Account Control (UAC) settings to ensure persistence after a system reboot.
In the final stage, the campaign deploys unsigned MSI installers such as Setup.msi and AnyDesk.msi. By using legitimate remote-access tools like AnyDesk, the attackers can hide in plain sight while maintaining a backdoor into the system. These tools enable the theft of corporate data or the deployment of ransomware on compromised networks.
Corporate Security Implications
This campaign highlights a growing trend where attackers shift from email-based phishing to encrypted messaging platforms to bypass traditional perimeter security. By leveraging the inherent trust users place in WhatsApp contacts, the attackers increase the success rate of their social engineering lures. This shift forces enterprises to reconsider the security boundaries of mobile devices used for work.
Microsoft recommends that organizations prioritize employee training to recognize suspicious attachments on non-traditional platforms. The company suggests that security solutions should specifically flag metadata discrepancies where a file name does not match its embedded original name. Such detection signals are critical for identifying "living off the land" attacks.
Future developments in this campaign may include more advanced obfuscation to hide PE metadata, making detection harder for tools like Microsoft Defender. Security professionals should monitor for unauthorized MSI installations and unexpected UAC prompts. The industry continues to watch how Meta-owned WhatsApp responds to these persistent exploitation vectors.