Microsoft researchers issued a warning on Tuesday regarding a sophisticated cyberattack campaign that uses WhatsApp to deliver malicious Microsoft Installer (MSI) packages. The campaign, which began in late February, tricks users into executing scripts that grant attackers full control over infected machines. This breach allows criminals to access private data and deploy further malware across compromised networks.
Living off the Land Techniques
The attack chain begins with a WhatsApp message containing a malicious Visual Basic Script (VBS) file. Once executed, the script creates hidden folders in the system directory and drops renamed versions of legitimate Windows utilities, such as curl.exe and bitsadmin.exe. By using authentic system tools for malicious purposes, attackers employ a strategy known as "living off the land" to blend in with normal network traffic.
Microsoft noted a critical error made by the attackers during this process. The renamed binaries retain their original metadata, which allows security software to detect the discrepancy between the filename and the embedded identity. This signal enables Microsoft Defender and other security solutions to flag the files as threats.
Multi-Stage Payload Delivery
Attackers use these renamed binaries to download secondary payloads from trusted cloud services, including AWS, Tencent Cloud, and Backblaze B2. The malware then attempts to alter User Account Control (UAC) settings to gain elevated privileges, ensuring the infection survives a system reboot. This escalation is a prerequisite for the final stage of the attack.
In the final phase, the attackers deploy unsigned MSI installers disguised as common software like AnyDesk, WinRAR, and LinkPoint. These installers provide remote access to the victim's system, facilitating data theft or the installation of ransomware. Because the attackers use real tools like AnyDesk, the activity often appears legitimate to an untrained observer.
"Train employees to recognize suspicious WhatsApp attachments and unexpected messages, reinforcing that even familiar platforms can be exploited for malware delivery," Microsoft advised in its security blog.
Implications for Enterprise Security
This campaign highlights a growing trend where attackers move away from custom malware in favor of legitimate software to evade detection. By exploiting the trust users place in messaging apps and cloud providers, criminals bypass traditional perimeter defenses. This shift places a higher premium on endpoint detection and user behavior analysis.
Corporate entities are now urged to prioritize employee training to counter social engineering, as technical barriers alone are often insufficient. Organizations should monitor for unsigned MSI installations and unexpected changes to UAC settings. Future security developments will likely focus on more rigorous verification of file metadata to combat "living off the land" tactics.