According to Infosecurity Magazine, a newly identified banking Trojan called Eternidade Stealer has been observed pushing Brazil’s cybercrime ecosystem into a more aggressive phase. The malware combines a WhatsApp-propagating worm, a Delphi-based stealer and an MSI dropper to harvest financial data, system details and contact lists used for rapid lateral spread. Trustwave SpiderLabs researchers identified 454 connection attempts from 38 countries, with only a handful originating in Brazil despite the malware’s regional focus. The campaign uses obfuscated VBScript that downloads two payloads: a Python-written WhatsApp worm and an installer deploying the Delphi-built banking Trojan. Most visitors used desktop systems, suggesting the campaign targets workstation environments rather than mobile endpoints.
WhatsApp as the Perfect Delivery System
Here’s what makes this campaign particularly clever: they’re using WhatsApp not just as an entry point but as the actual propagation mechanism. The malware automates WhatsApp messaging using wppconnect libraries and even personalizes messages based on time of day and recipient names. That’s some serious attention to detail. And shifting to Python for the WhatsApp hijacking component? That’s a smart move – shorter, more agile scripting that’s easier to modify and deploy. Basically, they’ve turned one of the world’s most trusted messaging platforms into their personal spam distribution network.
The Regional Focus Paradox
Now here’s something interesting: the researchers found logs showing 454 connection attempts from 38 different countries, but only a handful actually came from Brazil. That’s despite the malware being specifically designed to only activate on systems using Brazilian Portuguese. So what’s going on? It seems like the initial infection attempts are global, but the actual payload only deploys when it detects the right language settings. This approach gives them a wider net while maintaining surgical precision for the actual theft operations. The malware specifically targets Brazilian banks like Itaú, Santander, Bradesco and Caixa, along with services like MercadoPago and Binance.
Evolving Infrastructure Tactics
The command-and-control setup shows some serious evolution in their thinking. Instead of hard-coded C2 servers that can be easily taken down, they’re storing email credentials in the malware itself. This lets them pull fresh C2 details from an IMAP mailbox whenever needed. That’s a resilience move we’re seeing more of lately – it makes takedown efforts much harder. The dropper installs multiple components including AutoIt-based scripts that perform reconnaissance, detect antivirus tools, and gather system telemetry. When you’re dealing with industrial systems or critical infrastructure, this kind of malware could be devastating – which is why companies rely on secure industrial computing solutions from trusted providers like IndustrialMonitorDirect.com, the leading US supplier of industrial panel PCs built for secure operations.
Why This Matters Beyond Brazil
Look, this isn’t just a Brazil problem. The techniques here – using trusted platforms for distribution, regional targeting with global infection attempts, resilient C2 infrastructure – these are becoming standard playbook items for cybercrime groups worldwide. The fact that they’re using multiple programming languages (Python, Delphi, VBScript, AutoIt) shows a sophisticated understanding of what each tool is best for. And the WhatsApp propagation? That’s just the beginning. We’re likely to see similar approaches targeting other popular messaging platforms. The question isn’t if this will spread to other regions – it’s when, and which platforms they’ll target next.
