According to the latest report from Trustwave's cybersecurity research team SpiderLabs, cryptocurrency holders in Brazil need to be wary of a complex hacking operation that spreads malware containing hijacking worms and banking trojans through WhatsApp messages.
SpiderLabs states that the banking trojan, known as "Eternidade Stealer," is spreading through social engineering techniques on messaging apps like WhatsApp, such as "fake government projects, delivery notifications," messages from friends, and fake investment groups.
SpiderLabs researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi pointed out, "WhatsApp remains one of the most abused communication channels in Brazil's cybercrime ecosystem. Over the past two years, threat actors have continuously optimized their strategies, leveraging the platform's immense popularity to distribute banking trojans and information-stealing malware."
In simple terms, clicking on a worm link in WhatsApp triggers a chain reaction, causing the victim to be infected with both the worm and the banking trojan simultaneously.
The worm hijacks accounts and retrieves the victim's contact list. It employs a "smart filtering" feature that automatically ignores business contacts and groups, allowing it to more efficiently target personal contacts for spreading.
Meanwhile, the banking trojan automatically downloads as a file to the infected device and deploys Eternidade Stealer in the background, which can scan financial data and login credentials, covering multiple local Brazilian banks, fintech companies, or cryptocurrency exchanges and wallets.
The malware also has a clever method to avoid detection or shutdown. Instead of using a fixed server address, it checks for new commands via pre-set Gmail accounts through email. This allows hackers to change commands by sending new emails.
"A notable feature of this malware is that it uses hardcoded credentials to log into its email accounts, from which it retrieves its C2 server. This is a very clever way to update its C2, maintain persistence, and evade detection or shutdown at the network level. If the malware cannot connect to the email account, it will use hardcoded backup C2 addresses," the report states.
According to data from cryptocurrency analysis platform Chainalysis, Brazil is the largest cryptocurrency adopter in Latin America and ranks fifth in the company's 2025 Global Cryptocurrency Adoption Index.
The index is based on the usage of different types of cryptocurrency services in various countries and considers other factors, including population size and purchasing power.
For users of applications like WhatsApp, it is crucial to remain highly vigilant about any links received, even if the sender appears trustworthy.
A practical approach is to contact the other party separately on other applications to confirm whether the link is safe, and to be especially cautious of links that appear suddenly and lack background explanation.
Timely software updates help prevent attacks targeting vulnerabilities in older versions, while antivirus software may also assist in identifying potential issues.
If unfortunately targeted by a hacking attack, it is essential to immediately freeze all possible access points to banking and cryptocurrency services to prevent fund loss. Tracking the flow of funds can help exchanges, researchers, or law enforcement locate the assets' whereabouts, thereby assisting in freezing the hacker's wallet.
Related: Analyst: Cathie Wood's ARK Invest significantly increases holdings in Circle, BitMine, and Bullish amid cryptocurrency stock decline
Original article: “Warning: WhatsApp Worm Targets Brazilian Crypto Wallets and Bank Accounts”
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
