WhatsApp Malware Campaign in Brazil Targets Crypto Wallets with Eternidade Stealer

Trustwave's cybersecurity research team SpiderLabs has uncovered a sophisticated malware campaign in Brazil that leverages WhatsApp to distribute the Eternidade Stealer, a hijacking worm and banking trojan designed to target crypto wallets and financial applications. The campaign employs complex social engineering tactics, including fake government programs, delivery notifications, and fraudulent investment groups shared through WhatsApp messages and groups, to lure victims.

The attack follows a two-stage process: when a victim clicks a malicious link, it triggers an automated sequence that hijacks the WhatsApp session, downloads an MSI installer in the background, and deploys the stealer. This malware scans for financial applications and crypto wallets, activating its payload when it detects window titles or process names linked to platforms like Bradesco, BTG Pactual, Binance, Coinbase, MetaMask, and Trust Wallet. It can harvest sensitive information, including login credentials and financial data, from these targets.

One notable feature is the malware's use of hardcoded credentials to access a Gmail account, retrieving commands via IMAP over SSL to evade network filters and maintain persistence. If email access fails, it defaults to a hardcoded fallback command-and-control (C2) address. The worm also accesses the victim's contact list to propagate further, ignoring business contacts to focus on individual users for efficiency.

SpiderLabs researchers, including Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi, emphasized that WhatsApp remains a heavily exploited channel in Brazil's cybercrime ecosystem, with threat actors refining their tactics over the past two years. Brazil's crypto adoption has soared, ranking fifth globally on the Chainalysis Global Crypto Adoption Index and leading Latin America by volume, making it a prime target for such attacks. This campaign highlights broader trends, such as the rise of cross-platform threats like ModStealer and AI-driven malware, underscoring the need for heightened vigilance among users.