Brazilian banking customers are the latest target of a sophisticated new malware campaign dubbed “Eternidade Stealer.” This banking trojan, whose name translates to “Eternity” in Portuguese, leverages the widespread use of WhatsApp to spread its malicious payload and pilfer financial data. The attack highlights the evolving tactics of cybercriminals who are increasingly exploiting trusted communication channels to bypass traditional security measures.
The discovery, revealed by cybersecurity researchers at Trustwave’s SpiderLabs, showcases a worrying trend of malware authors using social engineering and advanced programming techniques to target specific regions and industries.
Eternidade Stealer‘s attack vector begins with a seemingly innocuous WhatsApp message, crafted in Portuguese and often personalized with time-of-day greetings to enhance its credibility. This social engineering tactic aims to lure unsuspecting users into clicking on a malicious file attached to the message.
Once activated, the malware rapidly compromises the victim’s WhatsApp account, exfiltrating their entire contact list to a command-and-control server. It then replicates itself, sending the same malicious file to all of the victim’s contacts using a spreading program written in Python script. This self-propagation mechanism allows the malware to spread rapidly and exponentially, turning trusted contacts into unwitting accomplices.
Python’s Pervasive Presence
The shift to Python for the spreading mechanism is a notable departure from previous attacks, indicating a strategic adaptation by malware authors to leverage the language’s versatility and ease of use.
According to Trustwave’s blog post, Eternidade Stealer is constructed using Delphi, a programming language favored by malware developers. The stealer is designed with a high degree of localization, specifically targeting users with Brazilian Portuguese as their operating system language.
Before initiating its primary attack, the malware profiles the victim’s computer, scanning for the presence of security software such as Windows Defender or Kaspersky. This reconnaissance allows the malware to evade detection and maximize its chances of success.
The malware also uses the IMAP protocol to fetch instructions from a compromised email account, revealing a surprisingly simple and potentially vulnerable command-and-control infrastructure.
“Researchers were able to confirm this behavior when they accessed the threat actor’s email account, finding the criminal was using simple, easily-compromised credentials.”
Once active, Eternidade Stealer meticulously monitors the victim’s device for a predefined list of financial targets. This includes applications associated with major Brazilian banks like Itaú, Bradesco, and Caixa Econômica Federal, as well as popular payment services such as MercadoPago.
Critically, the malware also targets cryptocurrency wallets and exchanges, including MetaMask, Trust Wallet, and Binance, reflecting the growing interest of cybercriminals in digital assets.
When a victim launches one of these targeted applications, the malware overlays a fake login screen that mimics the authentic interface. Unsuspecting users enter their credentials into this fraudulent form, unknowingly transmitting their sensitive information directly to the attackers.
The Eternidade Stealer campaign serves as a stark reminder of the evolving threat landscape and the importance of vigilance in the digital age. Users should exercise caution when interacting with unexpected messages or attachments, even if they appear to originate from trusted contacts. Verifying the authenticity of any suspicious communication through alternative channels is crucial to prevent falling victim to these sophisticated attacks.
As cybercriminals continue to refine their tactics and exploit new vulnerabilities, a proactive and informed approach to cybersecurity remains the best defense against these ever-present threats. The “Eternidade Stealer” is a sign of things to come: highly targeted, socially engineered attacks that demand a new level of awareness from everyday users.
