Headline
New Eternidade Stealer Uses WhatsApp to Steal Banking Data
Trustwave SpiderLabs warns of Eternidade Stealer, a new banking trojan spreading via personalised WhatsApp messages. Find out how this malicious software bypasses security checks and deploys fake login screens for major banks and wallets.
Cybersecurity researchers at Trustwave’s SpiderLabs have issued a warning about a new banking trojan targeting bank customers in Brazil. Dubbed Eternidade Stealer (Portuguese for Eternity), this malware uses the popular messaging app WhatsApp to trick people and steal their private financial information.
****The Attack Starts with a Simple Message****
The criminals employ social engineering, starting with a personalised WhatsApp message in Portuguese, featuring greetings that adjust to the time of day (like ‘good morning’). This tactic immediately makes the message seem legitimate. Once the victim clicks the attached malicious file, a complex attack chain begins.
The message researchers received via WhatsApp (Image credit: SpiderLabs)
The threat quickly takes over the user’s WhatsApp account. The program’s first action is to rapidly steal the victim’s entire contact list, which is immediately sent to the criminal’s control server. It then automatically sends itself to all the victim’s contacts using a spreading program written in Python script. This shift to Python is an important change from earlier attacks, which typically used different software.
Attack chain (Image credit: SpiderLabs)
****A Highly Targeted Operation****
According to Trustwave’s blog post, the Eternidade Stealer is built using Delphi, a programming language favoured by cybercriminals in Brazil for its efficiency and regional familiarity. The malware is highly localised; it only targets users with the Brazilian Portuguese operating system language.
Before launching its main attack, the stealer profiles the victim’s computer, checking for security software like Windows Defender or Kaspersky to help it avoid detection. The program is also cleverly designed to get its instructions by logging into a specific email account using the IMAP protocol to fetch the current location of its control server.
Researchers were able to confirm this behaviour when they accessed the threat actor’s email account, finding the criminal was using simple, easily-compromised credentials.
The threat actor’s email account accessed by SpiderLabs (Image credit: SpiderLabs)
****Stealing From Banks and Wallets****
Once active, the malware is programmed to watch for a long list of financial targets. It actively scans for applications linked to major Brazilian banks (like Itaú, Bradesco, and Caixa Econômica Federal), popular payment services (such as MercadoPago), and even cryptocurrency wallets and exchanges, including MetaMask, Trust Wallet, and Binance.
When a victim opens one of these targeted applications, the stealer deploys a fake screen, known as an overlay, that looks exactly like the login page. The victim unknowingly enters their sensitive information into this fake form, sending their credentials directly to the criminals.
To stay safe, be cautious of any unexpected messages or attachments, even if they appear to be from a known contact. If you receive a suspicious file, never open it; instead, call or text the supposed sender on a different platform to confirm they actually sent it.