Cybersecurity experts from the Acronis Threat Research Unit have noted a new surge of cyberattacks where WhatsApp has become a distribution vector for the Astaroth banking trojan. Specialists gave it a memorable codename: Boto Cor-de-Rosa. The procedure looks almost the same: after a computer gets infected, the malware reaches the victim’s WhatsApp contact list and automatically sends malicious messages to all correspondents, continuing the infection chain without further user involvement. Meanwhile, Astaroth itself (also known as Guildma) remains “classic”: the primary module is still coded in Delphi, and the installer employs Visual Basic Script. The novelty is a worm-like module written in Python, which is specifically responsible for spreading via WhatsApp. According to Acronis, this is a clear illustration of how malware authors are increasingly adopting modular architectures and mixing programming languages. Astaroth has been known since 2015 and has long specialized in targeting users in Latin America, primarily Brazil. Its objective remains constant—stealing banking credentials. In 2024, the malware was actively spread through phishing emails, but now the focus is increasingly shifting toward messengers. Trend Micro previously detailed similar campaigns where the Maverick and Casbaneiro banking trojans were distributed via WhatsApp. Astaroth has simply joined this trend. According to Acronis data, the attack initiates with a ZIP archive arriving in a WhatsApp message. Inside is a Visual Basic Script disguised as an innocuous file. Once the user launches it, the chain for downloading subsequent components begins. Ultimately, two key modules appear on the system: the Python distribution module, which gathers WhatsApp contacts and forwards the new malicious archive to them; and the banking module, which operates in the background, monitoring visits to banking websites to intercept login details. Separately, researchers highlighted an interesting detail: the malware maintains its own “analytics,” sending distribution statistics to its creators—how many messages were delivered, how many failed, and the speed of the mailing.
About the Author
