Water Saci SORVEPOTEL backdoor self-propagates through WhatsApp contacts

A WhatsApp malware campaign known as Water Saci recently shifted tactics from spreading banking malware to establishing persistent backdoors, Trend Micro reported Monday.

Water Saci’s “SORVEPOTEL” malware automatically spreads itself by compromising victims’ WhatsApp Web sessions and sending malicious ZIP files to all of the victim’s contacts. In its most recent attacks, SORVPOTEL used a novel email-based command-and-control (C2) system to retrieve commands for its new backdoor functionality.

SORVEPOTEL automatically spread through WhatsApp contacts

While Water Saci previously used .NET binaries in its attacks, the latest attack chain begins with a ZIP file with the naming convention Orcamento-2025[8 random digits].zip, which contains a Visual Basic Script (VBS) downloader called Orcamento.vbs. This downloader uses a PowerShell command that leads to the download and execution of another PowerShell script called tadeu.ps1.

This script self-propagates the malware by creating a new ZIP (Bin.zip) and by installing the WhatsApp automation library, ChromeDriver for browser automation and Selenium PowerShell module to automate browser tasks, Trend Micro said.

The malware retrieves cookies, authentication tokens and saved browser sessions from the victim’s Chrome browser and leverages these to gain access to the victim’s WhatsApp account.

Using the installed automation tools, it collects all of the victim’s WhatsApp contacts and messages these contacts using a template filled in with the target’s name and a time-based greeting (ex. “Bom dia” in the morning, “Boa noite” at night), along with the Bin.zip file renamed with the “Orcamento” naming scheme.

The malware mainly targets users in Brazil and the messages sent are in Portuguese.

Backdoor with email-based C2 infrastructure

The researchers found that the Water Saci attackers evolved the SORVEPOTEL malware from a .NET banking trojan to a fully functional backdoor capable of running Windows command prompt and PowerShell commands, uploading, exfiltrating and deleting files, taking screenshots, gathering system information, forcing a system restart and more.

SORVEPOTEL establishes persistence by modifying the Windows Registry, creating a scheduled task and placing a copy of itself, named WinManagers.vbs, in C:\PorgramData\WindowsManager\, Trend Micro said. Prior to this, it performs checks and does not proceed if analysis tools such as Process Hacker are running, if another instance of the malware is already present or if the system language is not Portuguese.

The malware uses the Internet Message Access Protocol (IMAP) to communicate with hardcoded Terra Mail email accounts providing C2 commands and endpoints. Emails containing the strings data, backup or ps are sent by the attacker to this email address to communicate with the backdoor.

Emails with the subject line “data” provide primary C2 URLs in the email body and failover C2 URLs are labeled as “backup.” URLs for retrieving PowerShell commands to execute are included in the body of emails with the “ps” label.

The backdoor checks the email account every 30 minutes for new commands or URLs and polls the provided C2 endpoints every five seconds for additional commands. Once a command is completed, the results are relayed back to the C2 server.

Trend Micro noted that Water Saci may have connections to the Coyote banking trojan due to the use of similar WhatsApp Web self-propagation methods.

The researchers recommend disabling automatic downloads on WhatsApp and restricting file transfers through WhatsApp and similar apps on organizational devices. Users are also encouraged to log out of messaging apps when not in use and regularly clear browser cookies and tokens to prevent session hijacking.