'Astaroth' Attack: How a simple WhatsApp file could empty your bank account

A sophisticated new malware campaign is exploiting the trusted platform of WhatsApp Web to distribute a potent banking Trojan to Windows users, cybersecurity authorities have warned. 

The attack, which uses a malicious file shared through the messaging service, can silently hijack a victim's WhatsApp account to spread itself and steal sensitive financial data.

The Cyber Security Authority (CSA) issued a detailed public alert concerning the activity, stating that "cybersecurity experts have discovered a new malware attack that uses WhatsApp Web on Windows computers to spread a dangerous banking malware called Astaroth." 

The authority emphasised that the criminals are "taking advantage of the popularity and the trust people have in WhatsApp to trick users into getting infected."

According to the alert, the attack begins with threat actors sending malicious ZIP archive files to potential victims via WhatsApp messages. 

These files are carefully disguised as legitimate documents or shared with convincing backstories to prompt users to download and open them. Once the enclosed file is extracted and executed on a Windows PC, the Astaroth malware is installed.

The infection then takes a particularly insidious turn. "After installation, the malware silently connects to WhatsApp Web, where it retrieves the victim’s contact list and automatically sends similar malicious messages to all contacts, thereby propagating itself without the victim’s knowledge," the CSA explained. 

This method of self-replication through a victim's own trusted contacts significantly increases its reach and effectiveness.

While the malware spreads, it conducts "extensive data harvesting activities" in the background. Its primary target is financial information, including the theft of "banking login credentials, one-time passwords (OTPs), browser cookies, and keystrokes." The stolen data "can be used to gain unauthorized access to financial accounts, commit fraud, and facilitate further criminal activity."

In response, the CSA has issued several key recommendations. Users should exercise extreme caution when downloading or opening ZIP files or unexpected attachments received via WhatsApp, "even if they come from known contacts." They also advise being wary of messages demanding immediate action or a download, a common social engineering tactic.

To counter the WhatsApp Web hijacking, individuals should regularly check their active WhatsApp Web sessions and "log out of any you do not recognise," while avoiding leaving sessions signed in on shared computers. Maintaining updated Windows operating systems and security software is also critical.

The authority reminded the public of its 24-hour Cybersecurity/Cybercrime Incident Reporting Point of Contact for reporting incidents and seeking guidance.