The Trustwave SpiderLabs team has unearthed a particularly unsettling piece of malware – Eternidade Stealer – that’s raising serious questions about the security practices surrounding WhatsApp and the increasingly complex techniques employed by cybercriminal organizations. This isn’t your run-of-the-mill banking trojan; it’s a meticulously crafted operation leveraging the platform’s trusted nature to execute a multi-stage attack chain with a clear focus on Brazilian financial institutions and beyond.
At its core, Eternidade Stealer is a Delphi-based malware, a choice reflecting a preference for rapid development and a degree of obfuscation. What truly distinguishes it is the initial infection vector: a cleverly obfuscated VBScript delivered via WhatsApp. The script itself triggers the download of a batch file containing two primary payloads: a Python-based WhatsApp worm and an MSI installer for the banking trojan. This layered approach immediately signals a level of sophistication far exceeding many opportunistic threats.
The targeting strategy is laser-focused. The malware employs geolocation checks, verifying the operating system language is Brazilian Portuguese before initiating the infection sequence. This demonstrates a calculated effort to minimize accidental infections outside of Brazil, simultaneously refining the attack and attempting to evade detection within sandbox environments. The deliberate use of a language-specific check is a subtle but crucial tactic.
The core functionality revolves around the theft of WhatsApp contact lists. The ‘obter_contatos()’ function leverages the WPP.contact.list() API, a technically viable attack path that bypasses many conventional security controls. Crucially, the malware doesn’t indiscriminately harvest all contacts. It intelligently filters out groups, business contacts, and broadcast lists, prioritizing individual personal contacts—those most likely to be susceptible to phishing messages. Each stolen contact record includes the full WhatsApp ID, contact name, phone number, and a boolean indicator of whether the contact is saved within the phone’s address book.
Following contact list acquisition, the malware instantly transmits the data to the command-and-control (C2) server via HTTP POST requests, again, without requiring any direct user interaction. This eliminates a common mitigation point – the need for the user to actively click a malicious link.
The real danger emerges with the trojan’s dual-layer persistence mechanism. It leverages hardcoded credentials to establish an IMAP connection to an email account controlled by the threat actors. This allows for continuous communication and facilitates the dynamic updating of the C2 infrastructure. The malware extracts the C2 server address directly from email subjects and bodies, representing a robust and adaptable approach to maintaining operational continuity even if specific domains are taken down.
Eternidade Stealer isn’t simply targeting Brazilian banks and payment services – MercadoPago, Binance, and Coinbase are among the identified targets. It’s actively conducting system reconnaissance. The trojan activates a fake login overlay upon accessing a targeted banking application, designed to seamlessly steal credentials. Concurrently, it collects a suite of data, including OS details, installed antivirus software, public and local IP addresses, and running processes. This reconnaissance informs the attackers’ decision-making process – do they proceed with credential theft, or deploy the banking overlay?
The investigation revealed a significant global footprint, with one threat actor’s infrastructure recording 454 connection attempts globally, with substantial traffic originating from the United States and European countries. This suggests a deliberate strategy of expansion beyond Brazil’s borders, indicating a potentially larger, more coordinated operation. It’s a chilling reminder that security vulnerabilities, once exploited, can quickly translate into attacks on a global scale.
The techniques employed by Eternidade Stealer underscore a critical vulnerability: the trust placed in messaging platforms and the willingness of attackers to exploit seemingly benign communication channels. It’s a wake-up call – a reminder that cybersecurity is no longer just about firewalls and antivirus software; it’s about understanding the evolving tactics of sophisticated adversaries and the potential for abuse in even the most trusted digital spaces.