Fake WhatsApp website drops malware targeting MacOS and Windows OS

• It drops a RAT as a final stage payload, which takes over the compromised machine remotely and performs various malicious activities.
• The fake website has been visited by over 300 visitors.

What is the issue?

Researchers observed that attackers are distributing malware to infect Mac OS and Windows OS via a malicious website disguised a WhatsApp official website. This malicious website has been visited by over 300 visitors.

The big picture

• The malicious code embedded in the fake website detects whether the operating system is Windows or MacOS.
• If it is a MacOS, then malware dubbed ‘Mac.BackDoor.Siggen.20’ get dropped into a victim’s machine via the Fake WhatsApp official website.
• If it is a Windows OS, then BackDoor.Wirenet.517 is dropped on Windows machines.
• Once on the compromised machine, the backdoor executes the malicious code from a remote server.
• After which, RAT is dropped, which takes over the compromised machine remotely and performs various malicious activities.

Worth noting

Researchers noted that the Remote Access Trojan is signed with a valid digital certificate. They further added that this malicious website and malware are not been used for a larger campaign.

“According to our information, the website spreading the backdoor under the cover of the WhatsApp messenger, was visited by about 300 visitors with unique IP addresses,” Dr. Web stated, GBHackers reported.