PETALING JAYA: The Malaysia Computer Emergency Response Team (MyCert) has published an advisory via its website over malware being delivered via WhatsApp messages to users of WhatsApp Web and WhatsApp for Desktop.
The malware specifically targets Windows computers, with attackers using social engineering tactics by sending potential victims messages containing malicious attachments disguised as legitimate legal, debt, or financial documents.
Common file names include: "Acknowledgment of Debt.vbs", "Sila semak bil anda.vbs", "December statement of account.vbs", and "Reconciliation.vbs".
While their names may suggest that the files are PDF documents, they are in fact Visual Basic Script (.vbs) files. When opened, they automatically execute a script – a series of instructions carried out by a computer – triggering the malware infection process.
The script installs malicious elements on a computer, such as a Remote Access Trojan (RAT), which gives attackers the ability to remotely access and control the device and maintain that access even after a reboot.
It further disables security prompts, allowing it to quietly continue malicious activities such as capturing information displayed or entered on the compromised system, including passwords, banking PINs, and one-time passwords (OTPs), without being detected by antivirus scans or alerting users.
MyCert advises users not to open or execute any suspicious files they receive, nor to forward them to others. Those who have already opened or run the files should consider their device compromised and take immediate steps to secure their accounts and systems.
Other recommendations include not replying to the sender, as it confirms that a phone number is currently active, and to report the message on WhatsApp and to MyCert through the Cyber999 email address (cyber999@cybersecurity.my) with screenshots of the message, timestamp, and sender number.
Those with infected devices should immediately disconnect the affected device from the Internet to cut off the attacker's remote access. Those using a corporate device should also notify their organisation's IT team as soon as possible.
MyCert further advises affected users to change all passwords associated with accounts accessed on the compromised device, using a separate clean device. Any password, PIN, or other sensitive information entered on the infected system should be treated as exposed.
It also recommends seeking professional assistance to remove the malware, noting that a standard antivirus scan is unlikely to detect or remove the RAT installed by the attackers.
Information about the attack, such as the original message, links, and the estimated time and date of infection, should be reported to MyCert's Incident Report page.
