A warning has been issued about a new virus called “SORVEPOTEL” that is rapidly spreading through WhatsApp. According to Trend Micro’s research, this malicious virus can infiltrate a system with a single malicious ZIP file and automatically spread through the WhatsApp session, infecting the victim’s contacts.

WhatsApp Session Hijacking

The attack begins with a message disguised as a known message. When the ZIP file contained in the message is opened, SORVEPOTEL runs on the device, hijacks the WhatsApp Web session, and spreads by automatically sending identical messages to the entire contact list.

According to Trend Micro’s analysis, this malware falls into the infostealer category. The software can target sensitive data such as photos, messages, and contacts. Furthermore, the malicious code snippets connect to C&C (command and control) servers via PowerShell commands and download new components, establishing persistence in the system.

The attack chain works exactly as follows:

• When the ZIP file is opened, the .LNK (Windows shortcut) file is executed. This .LNK file downloads and executes malicious commands in the background using PowerShell commands.
• The software then scans active WhatsApp Web sessions and sends the virus to others through the compromised account.
• This process continues unnoticed, spreading the threat in a chain reaction.

Experts emphasize the need to be extremely cautious, especially with messages containing ZIP attachments received through WhatsApp. Regardless of the sender, it’s crucial not to open files or click on links you don’t recognize. Furthermore, precautions should be taken, such as keeping your system up-to-date, maintaining active antivirus software, and limiting downloads of applications from unknown sources.

This development highlights the dangers of automated threats spread through messaging apps. A single oversight could expose all your private data and privacy on your computer.