What Happened
Kaspersky reported an ongoing phishing campaign targeting WhatsApp users across Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia. The attackers compromised WhatsApp accounts and used them to send VBScript files disguised as business documents — invoices, billing statements, account notices — to contacts in the victim’s address book.
When a recipient downloads and opens the VBScript file on Windows, it fetches two additional scripts from attacker infrastructure. Those scripts disable User Account Control protections through Registry modifications and download a ZIP archive containing ManageEngine Endpoint Central, a legitimate IT management tool. The software is silently installed and configured to connect to attacker-controlled management servers, giving the scumbags remote administration access to the victim’s computer.
The attack works because the victim trusts the sender — the message comes from a compromised contact — and the file appears to be a routine business document. Once opened, the VBScript runs with the victim’s privileges and has full access to write files anywhere the user can write them.
Why Traditional Defenses Failed
Antivirus tools struggle with this attack because the payload is heavily obfuscated VBScript and the final installed software is a legitimate, digitally signed application from ManageEngine. There’s no malicious executable to flag. The attack uses Windows Script Host (wscript.exe), a built-in Windows component, to execute the initial script. User Account Control can be bypassed through Registry changes that don’t require elevated privileges.
The real problem is that Windows has no native way to restrict which programs can write files based on the program’s identity. If the user has permission to write to a folder, then every program running under that user’s security context has that same permission — including wscript.exe executing a script delivered via WhatsApp.
How FileSure Would Have Blocked It
FileSure Defend operates at the Windows kernel level as a filter driver. It intercepts every file operation — open, read, write, create, delete, rename — before the operation completes. You define rules that specify which programs can perform which operations on which file types.
For this attack, a rule blocking script interpreters and messaging clients from writing executable content would stop the infection chain at the earliest stage:
File name filter: *.exe;*.dll;*.bat;*.cmd;*.ps1;*.vbs;*.js;*.zip
Program name filter: \wscript.exe;\cscript.exe;\whatsapp.exe
Operations: Write, Create
Drive type: Hard drives, Workstations
Result: Script interpreters and WhatsApp cannot write executable files or archives. The VBScript runs, attempts to download the ZIP archive containing ManageEngine, and the write operation is blocked at the kernel level.
The payload never lands on disk. The installer never runs. The attacker never gets remote access. The user sees an error — the script failed — and the incident is logged for investigation.
This rule doesn’t rely on recognizing this specific VBScript variant or having a signature for this particular campaign. It works on the next variant that appears tomorrow morning, because it controls file operations, not threat recognition. Any script delivered via WhatsApp that tries to write executable content is blocked, regardless of obfuscation, regardless of whether the final payload is legitimate software or custom malware.
FileSure also logs the blocked attempt with full context: which user, which program, which file, which operation, and when. Your security team gets an alert that wscript.exe just tried to write a ZIP file and was denied. That’s a clear indicator of a phishing attempt that warrants investigation — and you’re investigating a blocked attack, not cleaning up after a breach.
Start Protecting Your Systems
FileSure Defend runs on Windows systems from Server 2003 through Server 2022 and all modern Windows desktop versions. Installation takes minutes. The agent is lightweight — less than 2% CPU impact, around 50MB memory — and doesn’t conflict with antivirus or other endpoint tools.
You can start a free 21-day trial at bystorm.com and see it working in under three minutes. Install it, send yourself a test script via email, and watch the write attempt get blocked and logged. That’s the whole demo. It works exactly like that, every time, for every client.
Source: WhatsApp phishing attack uses fake business docs to hack PCs
Category: Ransomware
Tags: whatsapp phishing, vbscript malware, manageengine exploit, kernel filter driver, file system security, phishing payload delivery, zero-day defense
