ManageEngine Endpoint Central

WhatsApp accounts were hijacked to spread fake debt notices that install remote access software, giving attackers control of victims’ PCs.

The attack starts with WhatsApp messages sent from compromised accounts. These messages typically contain only a heavily obfuscated VBScript file designed to evade detection.

Once executed, the VBScript initiates a multi-stage infection chain that ultimately results in the installation of legitimate Remote Monitoring and Management (RMM) software.

Once a victim downloads and executes the attachment, a multi-stage infection process begins.

These scripts modify the Windows Registry to disable User Account Control (UAC) protections and retrieve a ZIP archive containing ManageEngine Endpoint Central.

The command is launched using the ShellExecute method with the runas verb, causing Windows to request administrative privileges before the registry change can be applied.

These scripts modify the Windows Registry to disable User Account Control (UAC) protections

Once extracted and executed, this package installs itself silently using Windows Installer and connects back to attacker-controlled servers.

These scripts modify the Windows Registry to disable User Account Control (UAC) protections and retrieve a ZIP archive containing ManageEngine Endpoint Central.

The setup script installs it silently so the user sees nothing, then connects the newly installed agent to attacker-controlled management servers.

If a Windows user opens the malicious file, the VBScript downloads two additional scripts from attacker-controlled servers.

The attack eventually installs ManageEngine Endpoint Central, a legitimate system management tool commonly used by IT administrators to oversee devices from a centralized platform.