"The package wrapped the legitimate WhatsApp WebSocket client in a malicious proxy layer that transparently duplicated every operation, including the ones involving sensitive data. During authentication, the wrapper captured session tokens and keys. Every message flowing through the application was intercepted, logged, and prepared for covert transmission to attacker-controlled infrastructure."
"Additionally, the stolen information was protected en route. Rather than sending credentials and messages in plaintext, the malware employs a custom RSA encryption layer and multiple obfuscation strategies, making detection by network monitoring tools harder and allowing exfiltration to proceed under the radar."
""The exfiltration server URL is buried in encrypted configuration strings, hidden inside compressed payloads," the researchers noted. "The malware uses four layers of obfuscation: Unicode variable manipulation, LZString compression, Base-91 encoding, and AES encryption. The server location isn't hardcoded anywhere visible.""
A malicious proxy layer wrapped the legitimate WhatsApp WebSocket client and duplicated every operation, including those involving sensitive data. The wrapper captured session tokens and keys during authentication. Every message processed by the application was intercepted, logged, and prepared for covert transmission to attacker-controlled infrastructure. Stolen information was protected in transit using a custom RSA encryption layer and multiple obfuscation strategies to evade network detection. The exfiltration server URL was hidden inside encrypted configuration strings and compressed payloads. The malware applied four obfuscation layers—Unicode variable manipulation, LZString compression, Base-91 encoding, and AES encryption—and did not hardcode the server location.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]