The Cyber Security Authority (CSA) has released a public alert concerning a banking malware campaign that exploits WhatsApp Web to target users on Windows systems.
The CSA advises both individuals and organisations to remain vigilant in light of this threat.
Recent discoveries by cybersecurity experts reveal a malicious attack that employs WhatsApp Web to disseminate a dangerous banking malware known as Astaroth.
This attack leverages the widespread use and inherent trust in WhatsApp to deceive users into downloading malware.
The Astaroth malware poses significant risks as it is designed to steal sensitive banking information and login credentials, threatening the security of both individuals and organisations.
The CSA’s statement underscores the evolving strategies of cybercriminals who are now using everyday digital tools to commit financial crimes.
“Threat actors initiate the attack by sending malicious ZIP files to victims through WhatsApp messages. These files are frequently disguised as authentic documents or sent with persuasive reasons to encourage users to open them.”
Once the ZIP file is extracted and executed on a Windows device, the Astaroth malware is activated. It then connects secretly to WhatsApp Web, retrieves the victim’s contact list, and automatically sends similar malicious messages to all contacts, allowing it to spread without the victim’s awareness.
In operation, the malware engages in extensive data harvesting, including stealing banking login information, one-time passwords (OTPs), browser cookies, and keystrokes.
This data can be utilised to gain unauthorised access to financial accounts, orchestrate fraud, and facilitate additional criminal activities.
The CSA recommends that users should exercise caution when downloading or opening ZIP files or unexpected attachments from WhatsApp messages, even if they appear to come from known contacts.
They should also be cautious of messages urging immediate action or enticing file downloads, as these are common tactics used in social engineering.
“Check active WhatsApp Web sessions and log out of any sessions you do not recognise. Avoid leaving WhatsApp Web signed in on shared or public computers.
Ensure that Windows operating systems and all installed applications are up to date with the latest security patches. Use reliable and updated endpoint security software capable of detecting and blocking malware activity.”
The CSA has established a 24-hour Cybersecurity/Cybercrime Incident Reporting Point of Contact (PoC) for individuals looking to report cybercrimes or seek guidance on online safety. Available contact options include: Call or Text – 292, WhatsApp – 0501603111, Email – report@csa.gov.gh.
