Ethical Hacking News
WhatsApp Malware 'Maverick' has been discovered to hijack browser sessions in order to target Brazil's biggest banks, bearing similarities with the existing banking malware Coyote. The campaign is linked to a threat actor named Water Saci and leverages WhatsApp's messaging platform for stealthy attacks.
Maverick malware hijacks browser sessions to target Brazilian banks. Maverick uses self-propagating malware SORVEPOTEL via WhatsApp Web to spread. The malware bypasses WhatsApp Web's authentication, allowing it to access victim accounts without triggering security alerts. Maverick implements a remote control mechanism with real-time monitoring and command execution capabilities. The threat actor must manually enter a one-time authentication code to access the C2 server URL used to send commands. The malware has multiple supported commands for system information, file operations, and other malicious activities.
The world of cybersecurity has witnessed another devastating breach, this time involving a malicious WhatsApp malware dubbed "Maverick". According to recent reports from CyberProof and Trend Micro, Maverick has been found to hijack browser sessions in order to target the biggest banks in Brazil. This is not an isolated incident, as it bears striking similarities with another banking malware known as Coyote, which has also been linked to a threat actor named Water Saci.
The investigation into Maverick's origins revealed that it was first documented by Trend Micro early last month, attributing it to the aforementioned Water Saci threat actor. The campaign in question involves two components: A self-propagating malware referred to as SORVEPOTEL, which is spread via the desktop web version of WhatsApp and serves as a delivery mechanism for the Maverick payload. Once installed, SORVEPOTEL is used to monitor active browser window tabs for URLs that match a hard-coded list of financial institutions in Latin America.
Upon matching these URLs, it establishes contact with a remote server to fetch follow-on commands to gather system information and serve phishing pages to steal credentials. The malware's ability to bypass WhatsApp Web's authentication entirely allows it to gain immediate access to the victim's account without triggering security alerts or requiring QR code scanning.
Furthermore, Maverick implements a sophisticated remote control mechanism that enables the adversary to pause, resume, and monitor the WhatsApp propagation in real-time. This is made possible by leveraging IMAP connections to terra.com[.]br email accounts using hardcoded email credentials to connect to the email account and retrieve commands rather than using a traditional HTTP-based communication.
This added security layer has introduced operational delays since each login requires the threat actor to manually enter a one-time authentication code to access the inbox and save the C2 server URL used to send the commands. The backdoor then periodically polls the C2 server for fetching the instruction. The list of supported commands is as follows -
INFO, to collect detailed system information
CMD, to run a command via cmd.exe and export the results of the execution to a temporary file
POWERSHELL, to run a PowerShell command
SCREENSHOT, to take screenshots
TASKLIST, to enumerate all running processes
KILL, to terminate a specific process
LIST_FILES, to enumerate files/folders
DOWNLOAD_FILE, to download files from infected system
UPLOAD_FILE, to upload files to infected system
DELETE, to delete specific files/folders
RENAME, to rename files/folders
COPY, to copy files/folders
MOVE, to move files/folders
FILE_INFO, to get detailed metadata about a file
SEARCH, to recursively search for files matching specified patterns
CREATE_FOLDER, to create folders
REBOOT, to initiate a system restart with 30-second delay
SHUTDOWN, to initiate a system shutdown with 30-second delay
UPDATE, to download and install an updated version of itself
CHECK_EMAIL, to check the attacker-controlled email for new C2 URLs
The widespread nature of the campaign is driven by the popularity of WhatsApp in Brazil, which boasts over 148 million active users, making it the second largest market in the world after India. The threat actors behind this malicious campaign appear to be linked to an existing Brazilian cybercriminal ecosystem that has been known for distributing banking trojans.
The link between Maverick and Coyote campaigns reveals a bigger picture that showcases a significant shift in the propagation methods of banking trojans. Threat actors have transitioned from relying on traditional payloads to exploiting legitimate browser profiles and messaging platforms like WhatsApp for stealthy, scalable attacks.
As cybersecurity firms continue to uncover new threats and vulnerabilities, it is essential for individuals and organizations alike to remain vigilant and take proactive measures to protect themselves against such malicious campaigns. This includes keeping software up-to-date, using reputable antivirus software, avoiding suspicious links and attachments, and regularly backing up important data.
In conclusion, the discovery of Maverick highlights the evolving nature of cyber threats and the importance of staying informed about emerging vulnerabilities. As cybersecurity continues to play a critical role in protecting individuals and organizations from such malicious campaigns, it is crucial that we remain proactive in our defense against these types of threats.
Related Information:
https://www.ethicalhackingnews.com/articles/WhatsApp-Malware-Maverick-Hijacks-Browser-Sessions-to-Target-Brazils-Biggest-Banks-ehn.shtml
https://thehackernews.com/2025/11/whatsapp-malware-maverick-hijacks.html
https://securelist.com/maverick-banker-distributing-via-whatsapp/117715/
https://www.pcrisk.com/removal-guides/34049-sorvepotel-malware
https://malware-guide.com/blog/remove-sorvepotel-malware
https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html
https://thehackernews.com/2025/10/researchers-warn-of-self-spreading.html
Published: Tue Nov 11 13:15:39 2025 by llama3.2 3B Q4_K_M
