The package deal wrapped the professional WhatsApp WebSocket shopper in a malicious proxy layer that transparently duplicated each operation, together with those involving delicate information. Throughout authentication, the wrapper captured session tokens and keys. Each message flowing by means of the applying was intercepted, logged, and ready for covert transmission to attacker-controlled infrastructure.
Moreover, the stolen info was protected en route. Somewhat than sending credentials and messages in plaintext, the malware employs a customized RSA encryption layer and a number of obfuscation methods, making detection by community monitoring instruments tougher and permitting exfiltration to proceed beneath the radar.
“The exfiltration server URL is buried in encrypted configuration strings, hidden inside compressed payloads,” the researchers famous. “The malware makes use of 4 layers of obfuscation: Unicode variable manipulation, LZString compression, Base-91 encoding, and AES encryption. The server location isn’t hardcoded wherever seen.”
