ProvatatorSpray: Strike to WhatsApp, bank data and antivirus around him; to understand

A new coup playing bank identity information and financial data wandered in WhatsApp, and recently learned the company’s threat intelligence team (Heimdall). The attack was baptized as “proofpray and It can invisible information sensitive information to the user.

In the report, Ish Technologes points out that Proofspray “represents an important risk ına because of its spreading capacity through WhatsApp. The attack adopts the execution method without a file, also known as the “Fillless”, where the malicious code is automatically loaded into memory. It is almost perceived for traditional antiviruses without leaving traces in computer files..

. Blow consists of sending a malicious file to the victim. Basically, a person (known or unknown) sends a zip file to the target, claiming to be a bank coupon that is often waiting. If persuaded, the buyer downloads the file and during the content extraction on the PC, a code PowerShell works on the Windows Task Automation Tool.

The campaign targets various market segments as IHH learned. The financial sector (banks and fintechs), retailers, corporate sector and end users are included in the list of possible victims.

According to IHE, the evidence attack travels the data:

• Language Preferences;
• History of Navigation;
• Permissions given to websites;
• Bank data (card data and pix);
• Automatic browsers fill the data;
• Crypto currency portfolio information;
• Browser details (version, extensions and more);
• Session Cookies;
• Google account descriptors.

The data is then sent to a server hosted in Cloudflare, thus making it difficult to identify and block malicious traffic.

According to IH, the threat “highly automation and smuggling”. Therefore, developed monitoring strategies and proactive reduction actions should be applied to prevent the spread of the attack.

How to avoid being rehearsal in WhatsApp?

Recommendations to avoid being a victim of Proofpray are very basic: Always suspect the suffixes received by messageWhatever the source. The ideal is to always confirm the transportation authorship in connection, video or personally in another way.

Also, make sure that your bank’s communication policy involves firing automatic messages by the journalists. Generally, banks only use online reference or service tools to communicate with account holders, then coupons, quotes, fees and other warnings. Will not reach WhatsApp or SMS input boxes.

Another detail is the extension of the file. A notification claimed by the bank evidence waiting for a document, It is very likely to come in a compressed file. These documents are usually presented via PDF – but this does not prove their legitimacy.