Microsoft researchers issued a warning on Tuesday regarding a sophisticated cyberattack campaign using WhatsApp to deliver malicious Microsoft Installer (MSI) packages. The operation, which began in late February, employs social engineering to trick users into executing files that grant attackers full remote access to compromised systems. This breach allows criminals to steal sensitive data or deploy further malware, such as ransomware.
Technical Execution and Detection Gaps
The attack chain initiates with a WhatsApp message containing malicious Visual Basic Script (VBS) files. Attackers likely use compromised accounts to impersonate known contacts or create a false sense of urgency to prompt the recipient to open the attachment. Once executed, the script creates hidden folders in the system directory and drops renamed versions of legitimate Windows utilities.
To avoid detection, the attackers use a technique known as "living off the land," where they rename tools like curl.exe and bitsadmin.exe to blend in with normal network activity. However, Microsoft noted that these binaries retain their original metadata, providing a critical signal for security software. This discrepancy allows tools like Microsoft Defender to flag files when the name does not match the embedded original filename.
Deployment of Remote Access Tools
After establishing a foothold, the malware downloads secondary payloads from trusted cloud services, including AWS, Tencent Cloud, and Backblaze B2. The attackers then attempt to elevate system privileges by altering User Account Control (UAC) settings to ensure the malware survives a system reboot. This phase prepares the environment for the final deployment of the malicious installers.
Microsoft identified several fraudulent installers used in the final stage, including Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi. While some of these mimic legitimate software like AnyDesk, the researchers found that none of the final payloads are digitally signed. This lack of a signature serves as a primary indicator for defenders that the software is unauthorized.
The Growing Risk of Social Engineering
This campaign highlights a broader trend where attackers move away from custom malware in favor of legitimate tools to evade security perimeters. By utilizing trusted platforms like WhatsApp and cloud hosting services, criminals reduce the likelihood of being blocked by traditional firewalls. This shift places a higher burden on the end-user to identify suspicious activity.
"Train employees to recognize suspicious WhatsApp attachments and unexpected messages, reinforcing that even familiar platforms can be exploited for malware delivery," Microsoft advised in its report.
Implications for Enterprise Security
As remote work persists, the blurring line between personal messaging apps and professional environments creates new vulnerabilities for corporations. The ability of attackers to gain remote control over a machine can lead to massive data exfiltration or the total encryption of corporate networks. Companies must now treat mobile messaging as a primary attack vector.
Security analysts expect a rise in these multi-stage attacks as criminals refine their social engineering tactics. Organizations are encouraged to implement stricter endpoint detection and response (EDR) policies and prioritize employee cybersecurity training. The industry will likely see a push for more robust verification of unsigned installers across corporate networks.