Microsoft researchers issued a warning on Tuesday regarding a sophisticated cyberattack campaign using WhatsApp to deliver malicious Microsoft Installer (MSI) packages. The operation, which began in late February, allows attackers to seize control of victim machines and access sensitive data. The attack chain initiates with a WhatsApp message containing a malicious Visual Basic Script (VBS) file.
Technical Execution and "Living off the Land"
Once a user executes the initial script, the malware creates hidden folders in the system's ProgramData directory and deploys renamed versions of legitimate Windows utilities. For example, the attackers renamed curl.exe as netapi.dll and bitsadmin.exe as sc.exe to avoid detection. This technique, known as "living off the land," allows criminals to blend in with normal network activity by using trusted system tools.
However, Microsoft noted a critical error in the attackers' execution. The renamed binaries retained their original Portable Executable metadata, meaning the OriginalFileName field still identified them as the original utilities. This discrepancy allows security solutions like Microsoft Defender to flag the files as malicious based on the mismatch between the filename and the embedded metadata.
Multi-Stage Payload Delivery
The attackers use these renamed binaries to download secondary VBS payloads from trusted cloud services, including AWS, Tencent Cloud, and Backblaze B2. After the initial breach, the malware attempts to alter User Account Control (UAC) settings to launch the command prompt with elevated privileges. This step ensures the malware can survive a system reboot and maintain a persistent presence on the device.
In the final stage, the attackers deploy unsigned MSI installers disguised as common software such as AnyDesk, WinRAR, and LinkPoint. These installers grant remote access to the infected system, enabling the theft of data or the deployment of more destructive software, such as ransomware. According to The Register, the use of real tools like AnyDesk helps the attackers hide in plain sight.
The Role of Social Engineering
This campaign highlights the increasing reliance on social engineering to bypass technical defenses. Attackers likely use compromised WhatsApp sessions to make messages appear as if they come from known contacts, or use urgent lures to prompt quick action. This method exploits the inherent trust users place in encrypted messaging platforms.
"Train employees to recognize suspicious WhatsApp attachments and unexpected messages, reinforcing that even familiar platforms can be exploited for malware delivery," Microsoft advised in a blog post.
Broader Cybersecurity Implications
This incident reflects a broader shift where attackers move away from custom malware in favor of legitimate software and cloud infrastructure to evade detection. By utilizing trusted providers like AWS, criminals make it significantly harder for enterprise security teams to distinguish between business operations and malicious downloads.
Organizations should now prioritize employee training and the implementation of zero-trust architectures to mitigate these risks. Security professionals will likely monitor for similar patterns involving the abuse of MSI packages and the exploitation of messaging apps for corporate espionage or financial gain.