A VBScript campaign distributed through WhatsApp deploying RMM software
A widespread malware campaign is leveraging compromised WhatsApp accounts to distribute malicious VBScript files disguised as financial documents. The multi-stage infection chain abuses legitimate Windows utilities to download payloads, attempts to bypass UAC via registry modifications, and ultimately deploys a preconfigured ManageEngine Endpoint Central RMM agent to establish persistent remote access.
- domainbaoxis[.]ccAttacker-controlled domain used for payload delivery.
- domaininvoice[.]msopsa[.]topAttacker-controlled domain used for payload delivery.
- domaintemu[.]baskwms[.]topAttacker-controlled domain used for payload delivery.
- ip202[.]61[.]160[.]137Attacker-controlled UEMS server IP Address
- ip202[.]61[.]160[.]160Attacker-controlled UEMS server IP Address
- ip202[.]61[.]160[.]201Attacker-controlled ManageEngine Endpoint Central C2 server, previously associated with ValleyRAT and Gh0st RAT.
- ip202[.]61[.]160[.]202Attacker-controlled UEMS server IP Address
- ip202[.]61[.]160[.]208Attacker-controlled UEMS server IP Address
- ip38[.]55[.]151[.]63Attacker-controlled UEMS server IP Address
- md502bb20455cc592a69c080abac770ce90Stage 1 VBScript payload (Le formulaire de demande le plus récent .vbs)
- md505d188f071d097f5b6bd8138749b4b14Stage 1 VBScript payload (Penyata bank.vbs)
- md50ba93109757776a44de9d8c88baa4963Stage 1 VBScript payload (Financial Reports(C1).vbs)
- md51a3cc75466ffb1971482f7abf7aabc3fStage 1 VBScript payload (home3.vbs)
- md51c47c63e5ed25060d95359c57c77b107Stage 1 VBScript payload (zipats.vbs)
- md51d94fbe9cab21278cc3f104bea334d08Stage 1 VBScript payload (Promissory_Note(b).vbs)
- md520209b3a32769afc6a75694b8d8839ddStage 1 VBScript payload (Statement of Debt(A).vbs)
- md52c6f05f1f309d89b2236e6c8b59c88f9Stage 1 VBScript payload (Account Statement(13K) (2).vbs)
- md531037a42ca048e06e69a78f55bc2eff5Stage 1 VBScript payload (1122.vbs)
- md53b1aba44dd3d9b6339b6f56e2f42034bStage 1 VBScript payload (Statement of Account.txt)
- md54044e4b6471c9de7b0a4ba37d9d9df9aStage 1 VBScript payload (billing statement (2).vbs)
- md54f0593e8e0e8fac49429e9b45ebf7fa1Stage 1 VBScript payload (Outstanding Payment List.vbs)
- md55002eca748205d544618e3bd2dedc223Stage 1 VBScript payload (Statement of Debt(29K).vbs)
- md55b6bbcc06cf08cc99e1afeda486d42fbStage 1 VBScript payload (Extrato de Conciliação.vbs)
- md56359e6236471cbe434d0ef4c42b7f879Stage 1 VBScript payload (Applicationform1.vbs)
- md563ac85195b73753333316a889cf5880fStage 1 VBScript payload (Statement of Account(O).vbs)
- md566442f2457eca8f47385b1fb2c6fcab8Stage 1 VBScript payload (Statement of Debt(30K).vbs)
- md566705384a7ad81d14c34fc6c054a0ecfStage 1 VBScript payload (iowepv.vbs)
- md568c16c46f8afb9e00bbaba0207fb0a46Stage 1 VBScript payload (Debt Note (2).vbs)
- md56c39900d77dcba158e1d27c7619cb06dStage 1 VBScript payload (Outstanding Balance Sheet(A).vbs)
- md56fb6a55424adfb61e31f06aef33273e5Stage 1 VBScript payload (dfjieya.vbs)
- md57403cbcc5a9c32384d431856dc48fcc9Stage 1 VBScript payload (Statement of debt (4).vbs)
- md574fd9f91fc93b6288b4fc253ea5b3e20Stage 1 VBScript payload (Sila semak bil anda.vbs)
- md57849061c536a3efb05a56d504694e7e7Stage 1 VBScript payload (6oy.vbs)
- md579ecd61b09b0f2d54b34586c916c4ec9Stage 1 VBScript payload (sac8.vbs)
- md57f16449cd0c4862d1eadf8a5742bf09aStage 1 VBScript payload (payload_1.vbs)
- md57f81c1bc8cfd588e8998968e2621456eStage 1 VBScript payload (Outstanding Payment List.vbs)
- md58c3322009b8982663c0cbecd9492e7ebStage 1 VBScript payload (0lf.vbs)
- md58c6d9fc389ad3f20ccbc71d77eb39bfaStage 1 VBScript payload (btksfmsi.vbs)
- md5993f4c0cadbc769a4b0ed62a918db58dStage 1 VBScript payload (Financial Reports(s).vbs)
- md59d9ac85765e4a818a3ccabe2cf4fef82Stage 1 VBScript payload (Debt Statement.vbs)
- md59f13c7b8ba391b2f597874e54d310648Stage 1 VBScript payload (Electronic statement(A).vbs)
- md5b7cd06c71465038b658a6dc1f273a507Stage 1 VBScript payload (Debt confirmation.vbs)
- md5c7f38cbb99c8b74fa0465293feeba700Stage 1 VBScript payload (Financial Reports.vbs).
- md5d01cad98dd0d01b75e04e784953c5e2bStage 1 VBScript payload (sleestak_payload_1.vbs)
- md5d06333c360b51456f427e616c3c5f8bdStage 1 VBScript payload (Sila semak bil anda.vbs)
- md5d43fdaa1f0ee09d7e5f0f94ee9df7b6cStage 1 VBScript payload (Bitte füllen Sie das Formular für Umsatzsteuer-Nullsatz-Verkäufe aus.vbs)
- md5dad708e050632a4280cabf98ac1376b7Stage 1 VBScript payload (Outstanding Balance Sheet.vbs)
- md5ddaffe9849f7f3c79f8804adb9a6b3d5Stage 1 VBScript payload (kof.vbs)
- md5df4fa0369eaca5cec348be293890d4afStage 1 VBScript payload (Account Statement.vbs)
- md5f90ed4b2d0b67114aa89ddfed658e5c0Stage 1 VBScript payload (dfjieya.vbs)
- registry_keyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdminRegistry key targeted by the malware to disable UAC consent prompts.
- urlhxxps://xijkwm2[.]s3[.]ap-southeast-1[.]amazonaws[.]com/baoxi[.]vbsURL used to download secondary VBScript payload.
- urlhxxps://xijkwm2[.]s3[.]ap-southeast-1[.]amazonaws[.]com/Uamk9[.]pdfURL used to download secondary payload disguised as a PDF.
Detection / HunterGoogle
What Happened
Attackers are using hacked WhatsApp accounts to send fake financial documents to the victims' contacts. When a user opens these files on a Windows computer, it triggers a hidden process that installs legitimate remote management software, giving the attackers full control over the machine. This matters because it allows attackers to steal data or install further malware without the user noticing. Users should be extremely cautious about opening unexpected files sent via WhatsApp, even from known contacts, and verify their legitimacy first.
Key Takeaways
- Malicious VBScript files are distributed via compromised WhatsApp accounts using financial-themed lures.
- The multi-stage infection chain abuses legitimate Windows utilities (curl, bitsadmin, certutil, PowerShell) to download payloads.
- Stage 2 scripts attempt to silently modify the ConsentPromptBehaviorAdmin registry key to bypass UAC prompts.
- The final payload installs a preconfigured ManageEngine Endpoint Central agent for persistent remote access.
- Infrastructure overlaps suggest a possible link to Chinese-speaking threat actors previously associated with ValleyRAT and Gh0st RAT.
Affected Systems
- Windows
- WhatsApp Desktop
- WhatsApp Web
Attack Chain
The attack begins when a victim executes a malicious VBScript received via a compromised WhatsApp account. This Stage 1 script creates a hidden working directory in C:\Users\Public\Documents\ and uses renamed Windows utilities (like curl or bitsadmin) to download secondary payloads. Stage 2 attempts to silently modify the ConsentPromptBehaviorAdmin registry key to bypass UAC and downloads a ZIP archive containing an RMM installer. Finally, Stage 3 extracts the archive and uses msiexec.exe to silently install a preconfigured ManageEngine Endpoint Central agent, granting the attacker persistent remote access.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but offers behavioral indicators, file paths, and network IOCs that can be used to create custom detection logic.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions have strong visibility into process creation (WScript spawning from WhatsApp), registry modifications (UAC bypass attempts), and file drops in public directories. Network Visibility: Medium — Network telemetry can detect downloads from suspicious domains or S3 buckets, as well as C2 traffic to the ManageEngine servers, though HTTPS may obscure the payload. Detection Difficulty: Moderate — While the use of legitimate RMM tools and LOLBins (curl, bitsadmin) blends in with normal administrative activity, the specific process ancestry (WhatsApp -> WScript) and UAC registry modifications are highly anomalous.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon Event ID 1)
- Registry Value Set (Sysmon Event ID 13)
- File Creation (Sysmon Event ID 11)
- Network Connection (Sysmon Event ID 3)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for WScript.exe being spawned as a child process of WhatsApp Desktop (WhatsApp.Root.exe), which indicates potential execution of malicious attachments. | Process Creation | Execution | Low |
| If you have visibility into registry events, look for modifications to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin, especially by script interpreters. | Registry Modifications | Privilege Escalation | Low |
| Evaluate whether wscript.exe or cmd.exe is creating hidden directories or dropping files in C:\Users\Public\Documents. | File Creation | Defense Evasion | Low |
| Consider hunting for the execution of msiexec.exe with arguments containing 'ENABLESILENT=yes' and 'UEMSAgent.msi', particularly if initiated by wscript.exe. | Process Creation | Persistence | Medium |
| Look for the removal of the Zone.Identifier alternate data stream using cmd.exe and the del command, which is often used to bypass Mark-of-the-Web protections. | Process Creation | Defense Evasion | Low |
Control Gaps
- Lack of application control preventing script execution from user profile directories
- Insufficient monitoring of legitimate RMM tool installations
Key Behavioral Indicators
- WScript.exe spawned by WhatsApp.Root.exe
- Renamed Windows utilities (curl.exe, bitsadmin.exe) executing from C:\Users\Public\Documents\
- Repeated attempts to modify ConsentPromptBehaviorAdmin in a loop
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider blocking the identified C2 IP addresses and malicious domains at the perimeter firewall or web proxy.
- If your EDR supports it, search for and isolate endpoints communicating with the known ManageEngine Endpoint Central C2 IPs.
Infrastructure Hardening
- Evaluate whether to restrict the execution of Windows Script Host (wscript.exe/cscript.exe) for standard users.
- Consider implementing application control policies to prevent the execution of unapproved RMM tools.
- Review and enforce strict UAC policies to prevent unauthorized registry modifications that lower consent prompt requirements.
User Protection
- If applicable, configure endpoint protection to block the execution of scripts downloaded from messaging applications like WhatsApp.
- Consider changing default file associations for script files (.vbs, .js, .ps1) to open in a text editor rather than executing.
Security Awareness
- Educate users on the risks of opening unexpected attachments received via messaging apps, even from known contacts.
- Train employees to recognize social engineering lures disguised as financial documents or tax forms.
MITRE ATT&CK Mapping
- T1566.001 - Phishing: Spearphishing Attachment
- T1059.005 - Command and Scripting Interpreter: Visual Basic
- T1105 - Ingress Tool Transfer
- T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
- T1564.001 - Hide Artifacts: Hidden Files and Directories
- T1564.004 - Hide Artifacts: NTFS File Attributes
- T1036.003 - Masquerading: Rename System Utilities
- T1219 - Remote Access Software
Additional IOCs
- Ips:
202[.]61[.]160[.]202- Attacker-controlled UEMS server IP Address202[.]61[.]160[.]137- Attacker-controlled UEMS server IP Address202[.]61[.]160[.]160- Attacker-controlled UEMS server IP Address202[.]61[.]160[.]208- Attacker-controlled UEMS server IP Address38[.]55[.]151[.]63- Attacker-controlled UEMS server IP Address
- Domains:
baoxis[.]cc- Attacker-controlled domain used for payload delivery.
- Urls:
hxxps://xijkwm2[.]s3[.]ap-southeast-1[.]amazonaws[.]com/Uamk9.pdf- URL used to download secondary payload disguised as a PDF.hxxps://xijkwm2[.]s3[.]ap-southeast-1[.]amazonaws[.]com/baoxi.vbs- URL used to download secondary VBScript payload.
- File Hashes:
b7cd06c71465038b658a6dc1f273a507(MD5) - Stage 1 VBScript payload (Debt confirmation.vbs)9f13c7b8ba391b2f597874e54d310648(MD5) - Stage 1 VBScript payload (Electronic statement(A).vbs)993f4c0cadbc769a4b0ed62a918db58d(MD5) - Stage 1 VBScript payload (Financial Reports(s).vbs)7f81c1bc8cfd588e8998968e2621456e(MD5) - Stage 1 VBScript payload (Outstanding Payment List.vbs)7403cbcc5a9c32384d431856dc48fcc9(MD5) - Stage 1 VBScript payload (Statement of debt (4).vbs)68c16c46f8afb9e00bbaba0207fb0a46(MD5) - Stage 1 VBScript payload (Debt Note (2).vbs)66442f2457eca8f47385b1fb2c6fcab8(MD5) - Stage 1 VBScript payload (Statement of Debt(30K).vbs)6359e6236471cbe434d0ef4c42b7f879(MD5) - Stage 1 VBScript payload (Applicationform1.vbs)5b6bbcc06cf08cc99e1afeda486d42fb(MD5) - Stage 1 VBScript payload (Extrato de Conciliação.vbs)5002eca748205d544618e3bd2dedc223(MD5) - Stage 1 VBScript payload (Statement of Debt(29K).vbs)4f0593e8e0e8fac49429e9b45ebf7fa1(MD5) - Stage 1 VBScript payload (Outstanding Payment List.vbs)4044e4b6471c9de7b0a4ba37d9d9df9a(MD5) - Stage 1 VBScript payload (billing statement (2).vbs)20209b3a32769afc6a75694b8d8839dd(MD5) - Stage 1 VBScript payload (Statement of Debt(A).vbs)0ba93109757776a44de9d8c88baa4963(MD5) - Stage 1 VBScript payload (Financial Reports(C1).vbs)02bb20455cc592a69c080abac770ce90(MD5) - Stage 1 VBScript payload (Le formulaire de demande le plus récent .vbs)6c39900d77dcba158e1d27c7619cb06d(MD5) - Stage 1 VBScript payload (Outstanding Balance Sheet(A).vbs)dad708e050632a4280cabf98ac1376b7(MD5) - Stage 1 VBScript payload (Outstanding Balance Sheet.vbs)05d188f071d097f5b6bd8138749b4b14(MD5) - Stage 1 VBScript payload (Penyata bank.vbs)2c6f05f1f309d89b2236e6c8b59c88f9(MD5) - Stage 1 VBScript payload (Account Statement(13K) (2).vbs)3b1aba44dd3d9b6339b6f56e2f42034b(MD5) - Stage 1 VBScript payload (Statement of Account.txt)d43fdaa1f0ee09d7e5f0f94ee9df7b6c(MD5) - Stage 1 VBScript payload (Bitte füllen Sie das Formular für Umsatzsteuer-Nullsatz-Verkäufe aus.vbs)df4fa0369eaca5cec348be293890d4af(MD5) - Stage 1 VBScript payload (Account Statement.vbs)63ac85195b73753333316a889cf5880f(MD5) - Stage 1 VBScript payload (Statement of Account(O).vbs)74fd9f91fc93b6288b4fc253ea5b3e20(MD5) - Stage 1 VBScript payload (Sila semak bil anda.vbs)d06333c360b51456f427e616c3c5f8bd(MD5) - Stage 1 VBScript payload (Sila semak bil anda.vbs)1d94fbe9cab21278cc3f104bea334d08(MD5) - Stage 1 VBScript payload (Promissory_Note(b).vbs)9d9ac85765e4a818a3ccabe2cf4fef82(MD5) - Stage 1 VBScript payload (Debt Statement.vbs)6fb6a55424adfb61e31f06aef33273e5(MD5) - Stage 1 VBScript payload (dfjieya.vbs)f90ed4b2d0b67114aa89ddfed658e5c0(MD5) - Stage 1 VBScript payload (dfjieya.vbs)8c3322009b8982663c0cbecd9492e7eb(MD5) - Stage 1 VBScript payload (0lf.vbs)66705384a7ad81d14c34fc6c054a0ecf(MD5) - Stage 1 VBScript payload (iowepv.vbs)8c6d9fc389ad3f20ccbc71d77eb39bfa(MD5) - Stage 1 VBScript payload (btksfmsi.vbs)1a3cc75466ffb1971482f7abf7aabc3f(MD5) - Stage 1 VBScript payload (home3.vbs)1c47c63e5ed25060d95359c57c77b107(MD5) - Stage 1 VBScript payload (zipats.vbs)31037a42ca048e06e69a78f55bc2eff5(MD5) - Stage 1 VBScript payload (1122.vbs)7f16449cd0c4862d1eadf8a5742bf09a(MD5) - Stage 1 VBScript payload (payload_1.vbs)79ecd61b09b0f2d54b34586c916c4ec9(MD5) - Stage 1 VBScript payload (sac8.vbs)7849061c536a3efb05a56d504694e7e7(MD5) - Stage 1 VBScript payload (6oy.vbs)ddaffe9849f7f3c79f8804adb9a6b3d5(MD5) - Stage 1 VBScript payload (kof.vbs)d01cad98dd0d01b75e04e784953c5e2b(MD5) - Stage 1 VBScript payload (sleestak_payload_1.vbs)
- File Paths:
C:\Users\Public\Documents\MSUpdate_*- Randomized hidden working directory created by Stage 1 VBScript.C:\Users\Public\Documents\Temp_*- Randomized hidden working directory created by Stage 1 VBScript.C:\Users\Public\Documents\Sys*- Randomized hidden working directory created by Stage 2 VBScript.C:\Users\Public\Documents\Data*- Randomized hidden working directory created by Stage 2 VBScript.
- Command Lines:
- Purpose: Execute initial VBScript payload from WhatsApp Desktop attachment storage. | Tools:
WScript.exe| Stage: Execution - Purpose: Modify UAC settings to disable consent prompt for administrative actions. | Tools:
cmd.exe,reg.exe| Stage: Privilege Escalation - Purpose: Remove Zone.Identifier alternate data stream to bypass security warnings. | Tools:
cmd.exe| Stage: Defense Evasion |cmd /c "del /f /q "*:Zone.Identifier"" - Purpose: Silently install ManageEngine Endpoint Central agent. | Tools:
msiexec.exe| Stage: Persistence
- Purpose: Execute initial VBScript payload from WhatsApp Desktop attachment storage. | Tools: