Crypto hackers are using WhatsApp to distribute a trojan targeting crypto holders in Brazil. Trustwave’s cybersecurity research team SpiderLabs has sounded an alert around “Eternidade Stealer” – the banking trojan that can drain crypto holdings and is presently making the rounds in Brazil.
The report by SpiderLabs explained that the cyberactors are circulating the trojan as fake government messages and delivery notifications on WhatsApp. Once the targets engage with these malicious messages, the malware activates and starts scanning active applications to identify crypto, fintech or banking services.
“When it detects a match linked to Bradesco, BTG Pactual, Binance, Coinbase, MetaMask, Trust Wallet, or another financial brand, the malware immediately decrypts and activates its next-stage payload. Such a behavior reflects a classic banker or overlay-stealer tactic, where malicious components lie dormant until the victim opens a targeted banking or wallet application,” said the report posted on Thursday, November 20.
Source: SpiderLabs
In malwares like “Eternidade Stealer”, attackers make sure that the trojan only activates in relevant context – and otherwise remain concealed.
As per the report, Brazil-based users of crypto platforms like Bitget, ByBit, KuCoin, Kraken, BitStamp, Bitfinex, Huobi, and Gemini among others have been advised extreme caution in terms of engaging with WhatsApp messages from unknown sources.
Users of crypto wallet services from Electrum, Atomic Wallet, Ledger Live, Trust Wallet, Blockchain.com, Phantom Wallet, TokenPocket, and Math Wallet are also under threat, the report noted.
Sharing a key insight SpiderLabs said, “During investigation, we observed some samples were associated with email accounts where 2FA was not enabled by the threat actor, allowing access using only the hardcoded credentials.”
It also pointed out that the communications distributing this malware is originating from 38 global locations – including Germany, France, the U.S., and the U.K. among others.
Advising caution to crypto users in Brazil, the report said, “Eternidade Stealer is an active, evolving threat that highlights two concerning trends: the growing use of WhatsApp as a distribution vector, and the malware’s continued development. Cybersecurity defenders should remain vigilant for suspicious WhatsApp activity.”
YouTube, X, LinkedIn, and dating apps are other social networking platforms that are popular among malicious cyber actors fishing for victims, multiple researches from the previous reports have shown.