WhatsApp Desktop users beware: CERT-In warns of malware hidden in everyday documents

The Indian Computer Emergency Response Team (CERT-In) has warned of a "large-scale malware distribution campaign" targeting WhatsApp Desktop and WhatsApp Web users through malicious attachments sent from compromised accounts.

"It has been observed that a large-scale malware distribution campaign is targeting WhatsApp Desktop and WhatsApp Web users. The campaign distributes malicious Visual Basic Script (VBScript) files through direct messages on the platform," CERT-In said in an advisory.

The cyber security agency said threat actors are using previously compromised WhatsApp accounts to send malicious VBScript (.vbs) files directly to victims, making the messages appear legitimate and "significantly increasing the likelihood of successful compromise".

According to the advisory, the malicious files are disguised as routine business documents, including invoices, bank statements, payment records, account statements and debt notices.

The filenames are localised in several languages, including English, Portuguese, French, German and Malay, indicating what CERT-In described as "a broad targeting strategy".

The advisory said that once a victim opens the malicious attachment, the VBScript executes on the system, creates a working directory under the public documents folder, downloads additional scripts from attacker-controlled infrastructure and installs a Remote Monitoring and Management (RMM) package, allowing attackers to gain remote access to the compromised device.

"The malware also includes comments and metadata designed to imitate legitimate Microsoft Windows Update components, helping it evade suspicion," CERT-In said.

The agency warned that successful exploitation may result in "unauthorized remote access to endpoints", "credential theft", deployment of additional malware, data exfiltration, lateral movement within organisational networks, business disruption and financial losses.

CERT-In urged users to "be cautious with unexpected attachments" and "do not open attachments you were not expecting, even if they come from a friend, colleague, or family member."

Users should also "contact the sender through a phone call or separate message to confirm they intentionally sent the file" and avoid opening executable file types such as .vbs, .vbe, .exe, .bat, .cmd, .js and .ps1 received through messaging platforms.

The advisory further recommended keeping operating systems, browsers and messaging applications updated, using reputable antivirus or endpoint protection software, enabling two-factor authentication on WhatsApp and other online accounts, periodically reviewing linked devices, downloading software only from official sources, and never sharing passwords, one-time passwords (OTPs) or banking credentials through messaging apps.

It also asked users to report suspicious messages to their organisations' IT or security teams and use WhatsApp's reporting and blocking features for suspected malicious accounts.