WhatsApp Phishing Campaign Deploys VBS Malware to Install ManageEngine Remote‑Admin Tool Across Multiple Countries
What Happened — Threat researchers at Kaspersky have observed a coordinated campaign that compromises WhatsApp accounts and uses them to send VBScript files disguised as business or financial documents. When a victim opens the file on a Windows PC, the script disables UAC, fetches additional payloads and silently installs ManageEngine Endpoint Central, giving the attacker remote administration rights.
Why It Matters for Compliance & Audit Readiness
- SOC 2 Access Control (CC6.1) requires documented user‑awareness training that covers phishing vectors, including non‑email channels such as messaging apps.
- Continuous‑compliance programs must retain evidence that security‑awareness policies are tested and updated, providing a defensible audit trail.
- Endpoint‑configuration controls (e.g., application whitelisting, UAC enforcement) are part of the Change Management and System Operations criteria; gaps here can be flagged during a SOC 2 audit.
Who Is Affected – Enterprises with remote workforces in technology, finance, professional services, and any sector where employees rely on WhatsApp for quick communication.
Recommended Actions
- Expand your security‑awareness curriculum to include WhatsApp‑based phishing scenarios and conduct regular simulated attacks.
- Enforce application‑control policies that block execution of VBS/WScript files from untrusted locations.
- Deploy endpoint detection and response (EDR) capable of flagging unauthorized installations of remote‑admin tools.
- Verify that UAC and registry hardening settings are enforced through configuration‑management tooling and are auditable.
Technical Notes – The attack chain starts with a compromised WhatsApp account delivering an obfuscated VBS file (named as invoices, billing statements, etc.). The script disables UAC via registry edits, downloads a ZIP containing ManageEngine Endpoint Central, and configures it to connect to attacker‑controlled servers. The campaign has been observed in Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia. Source: BleepingComputer