According to Dark Reading, a sophisticated Trojan called “Eternidade” is spreading as a worm through WhatsApp in Brazil, specifically targeting banking credentials. Security researchers at LevelBlue penetrated the command-and-control infrastructure and found approximately 10,000 infected systems. The malware automatically grabs victims’ WhatsApp contacts and sends personalized messages using recipients’ names and time-appropriate Portuguese greetings. Interestingly, newer variants are written in Python instead of PowerShell, suggesting potential multiplatform expansion. The Trojan checks for Brazilian Portuguese language settings and avoids corporate networks before deploying its final payload, which is written in Delphi and targets dozens of financial platforms including Bank of Brazil, Santander, and Coinbase.
Social Engineering Perfected
Here’s what makes Eternidade particularly nasty: it’s not just another spam campaign. The malware actually filters out business contacts and group chats, focusing only on personal connections. That’s smart targeting. When it sends messages, it personalizes them with the recipient’s name and includes “Good morning/afternoon/evening” in Portuguese based on the actual time. Basically, it’s doing everything right from a social engineering perspective to appear legitimate. Who’s going to suspect a personalized greeting from a friend?
Brazil’s Unique Cybercrime Ecosystem
The Delphi programming language angle is fascinating. Karl Sigler from LevelBlue explains that Brazil has this somewhat isolated tech environment – they’re the only Portuguese-speaking country in Latin America, and their education programs are specifically targeted for Brazil. So while the rest of the world moved on from Delphi, Brazil’s cybercriminals stuck with it. And honestly, it makes sense for their purposes. Delphi is straightforward, easy to learn, and perfect for basic malware tasks like downloading files and gathering system information. It’s one of those odd technological evolutions that happens when a region develops its own ecosystem.
C2 Resilience and Future Threats
Now here’s the really clever part: the malware’s command-and-control resilience. The attackers hardcoded email credentials into the malware itself. If defenders take down their C2 server, they can simply send an email with the new address, and all infected systems immediately know where to find their new commands. We really haven’t seen that approach much before. Combine that with the shift from PowerShell to Python, and you’ve got a threat that‘s both resilient and potentially multiplatform. Could we see Eternidade expanding beyond Brazil and Windows systems? The infrastructure suggests that’s exactly what the attackers are planning.
What This Means For Users
Look, the scary thing here isn’t just the technical sophistication – it’s the psychological manipulation. These attackers understand exactly how people use WhatsApp in Brazil. They know that messages from friends and family are trusted. They’re exploiting the very nature of social connections. And with detailed analysis available from security researchers, we can see exactly how targeted this campaign is. The lesson? Even messages that look perfectly legitimate from people you know could be malicious. In an environment where industrial systems and critical infrastructure increasingly rely on secure computing platforms, understanding these social engineering tactics becomes crucial for everyone from individual users to enterprise security teams.
