Summary

A new self-propagating malware campaign, codenamed SORVEPOTEL, has been identified targeting Brazilian users through the popular messaging app WhatsApp. This campaign, primarily affecting Windows systems, is engineered for rapid propagation rather than data theft or ransomware. The malware exploits the trust associated with WhatsApp to spread quickly across enterprise environments, leading to account suspensions due to excessive spam activity.

Technical Details

Initial Infection Vector:

• ‍Phishing Message: The attack begins with a phishing message sent via WhatsApp from a compromised contact. This message includes a ZIP file attachment that appears to be benign, such as a receipt or a health app-related file.‍

Malicious ZIP File:

• ‍Contents: The ZIP file contains a Windows shortcut (LNK) file. This file is designed to execute a PowerShell script when opened.‍
• Execution: When the LNK file is clicked, it silently runs a PowerShell command that retrieves the main payload from an external server, such as sorvetenopoate[.]com.‍

Payload Retrieval and Execution:

• _‍PowerShell Script: The script is responsible for downloading the main payload, which is a batch script.‍
• Batch Script: This script establishes persistence by copying itself to the Windows Startup folder, ensuring it runs every time the system starts.‍
• Command-and-Control (C2) Communication: The batch script also executes a PowerShell command to contact a C2 server for further instructions or to download additional malicious components.
  

Propagation Mechanism:

• ‍WhatsApp Web Exploitation: If WhatsApp Web is active on the infected system, the malware leverages this session to send the malicious ZIP file to all contacts and groups associated with the victim's account.‍
• Automated Spamming: This automated distribution results in a high volume of spam messages, often leading to the suspension or banning of the infected account due to violations of WhatsApp's terms of service.
  

Persistence and Evasion:

• ‍Startup Folder Persistence: By placing the batch script in the Startup folder, the malware ensures it is executed upon system reboot.‍
• Minimal User Interaction: The campaign is designed to require minimal user interaction, relying heavily on automation and social engineering to propagate.
  

Targeting and Impact:‍

• Enterprise Focus: The requirement for the attachment to be opened on a desktop suggests a focus on enterprise environments, where desktop usage is more prevalent.
• Regional Focus: The majority of infections have been reported in Brazil, affecting sectors such as government, public service, manufacturing, technology, education, and construction.

Mitigation

1. ‍User Awareness and Training: Educate users about the risks of opening attachments from unknown or unexpected sources, even if they appear to come from known contacts. ‍
2. Email and Messaging Security: Implement robust email and messaging security solutions to detect and block phishing attempts and malicious attachments. ‍
3. Endpoint Protection: Deploy comprehensive endpoint protection solutions capable of detecting and mitigating threats like SORVEPOTEL. ‍
4. Network Monitoring: Monitor network traffic for unusual activity, such as connections to known malicious domains or unexpected data exfiltration attempts.

What the Cyber Fusion Center is Doing

The CFC is currently:

• Continuing active threat hunting operations and support engagements in environments impacted by this campaign.
• Leveraging findings from recent IR cases to refine detection and response capabilities.

References

• https://thehackernews.com/2025/10/researchers-warn-of-self-spreading.html
• https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html
• https://documents.trendmicro.com/assets/txt/WhatsApp Self-Propagating Malware IoCs-hhTEpdC.txt