Alerts

Background

Cybersecurity experts have discovered a new malware attack that uses WhatsApp Web on Windows computers to spread a dangerous banking malware called Astaroth. In this attack, criminals take advantage of the popularity and the trust people have in WhatsApp to trick users into getting infected. This malware is especially dangerous because it is designed to steal banking details and login information, putting individuals and organisations at serious risk. The campaign shows how cybercriminals are changing their methods and using everyday digital tools to carry out financial crimes.

Modus Operandi

• Threat actors initiate the attack by sending malicious ZIP files to victims through WhatsApp messages.
• These files are often disguised as legitimate documents or shared under convincing pretexts to encourage users to download and open them.
• Once the ZIP file is extracted and executed on a Windows device, the Astaroth malware is installed.
• After installation, the malware silently connects to WhatsApp Web, where it retrieves the victim’s contact list and automatically sends similar malicious messages to all contacts, thereby propagating itself without the victim’s knowledge.
• In the background, the malware conducts extensive data harvesting activities, including the theft of banking login credentials, one-time passwords (OTPs), browser cookies, and keystrokes.
• This information can be used to gain unauthorized access to financial accounts, commit fraud, and facilitate further criminal activity.

Recommendation

• Exercise caution when downloading or opening ZIP files or unexpected attachments received via WhatsApp, even if they come from known contacts.
• Be cautious of messages that call for immediate action or require file downloads, as these are commonly used social engineering tactics.
• Check active WhatsApp Web sessions and log out of any you do not recognise. Avoid leaving WhatsApp Web signed in on shared or public computers.
• Ensure that Windows operating systems and installed applications are kept up to date with the latest security patches.
• Use reputable and up-to-date endpoint security software capable of detecting and blocking malware activity.

Contact the Cyber Security Authority

The CSA has a 24-hour Cybersecurity/Cybercrime Incident Reporting Points of Contact (PoC) for reporting cybercrimes and for seeking guidance and assistance on online activities, Call or Text – 292, WhatsApp – 0501603111, Email – report@csa.gov.gh

Issued by Cyber Security Authority
January 27, 2025
Ref: CSA/CERT/MPA/2026-01/01