MyCert warns WhatsApp malware spreading via fake documents

Malaysia's Computer Emergency Response Team (MyCert) has sounded the alarm over a sophisticated malware campaign exploiting WhatsApp's messaging platform to target local users. The threat uses deceptively crafted documents purporting to be financial statements and debt notices to lure unsuspecting victims into downloading and executing malicious code on their computers. The campaign demonstrates how cybercriminals have adapted their tactics to leverage legitimate communication channels, transforming them into vectors for infection.

The attack mechanism relies heavily on social engineering, a tactic that manipulates human psychology rather than exploiting technical vulnerabilities. Attackers send messages to potential victims through WhatsApp Web and Desktop containing what appear to be ordinary business documents related to finances or legal matters. The file names chosen by the attackers are deliberately innocuous and contextually relevant, including variations such as "Acknowledgment of Debt.vbs", "Sila semak bil anda.vbs" (which translates to "Please check your bill"), "December statement of account.vbs", and "Reconciliation.vbs". This localisation strategy—mixing English and Bahasa Malaysia filenames—suggests the campaign is specifically calibrated for Malaysian audiences and may indicate the attackers have local market knowledge.

The deception extends to file disguise. Despite their names implying PDF documents or images that victims would ordinarily expect to receive from banks or creditors, the files are actually Visual Basic Script executables with a .vbs extension. This distinction is critical because it fundamentally changes what happens when a user attempts to open the file. Rather than displaying a document, executing the script triggers an automated installation sequence that downloads and installs malicious software directly onto the victim's system. Many Windows users, particularly those less familiar with file types and extensions, would not recognise this technical distinction and would proceed to open the file believing they were reviewing a standard document.

The payload installed by these scripts is particularly dangerous: a Remote Access Trojan, commonly abbreviated as RAT. This type of malware grants attackers unprecedented control over compromised computers. Once successfully installed, a RAT permits remote cybercriminals to access, monitor, and manipulate the victim's system from anywhere in the world as though they were physically present at the keyboard. This access persists even after the computer is restarted, creating a persistent foothold that remains active until specifically removed by the victim or a security professional.

What makes this specific RAT variant especially insidious is its ability to evade detection. The malware automatically disables critical security prompts and warnings that would normally alert users to suspicious activity. With these safeguards neutralised, the RAT can operate silently in the background, capturing every keystroke and screenshot the victim generates. Banking information, personal identification numbers, one-time passwords used for two-factor authentication, and login credentials are all harvested without the user's knowledge. Standard antivirus scans prove ineffective against this particular threat, as the malware is designed to cloak itself from security software detection mechanisms.

For Malaysian users particularly, the implications are severe. Malaysia has witnessed increasing financial fraud and account takeovers in recent years, and a RAT installation fundamentally compromises the security of any financial accounts accessed on that device. Attackers with remote access can monitor banking sessions in real time, intercepting OTPs that arrive via SMS, and executing unauthorised transactions before victims realise what has occurred. The convergence of RAT access and financial targeting represents a complete breach of digital security.

MyCert's immediate advice focuses on prevention through vigilance. Users should categorically refuse to open or execute any files received through WhatsApp that they did not explicitly request, regardless of how legitimate the filename or sender appear. Replying to the sender should be avoided entirely, as doing so confirms to the attacker that the phone number is active and monitored by a real person—information that increases the likelihood of follow-up attack attempts. Instead, users should report suspicious messages directly through WhatsApp's built-in reporting mechanism and notify MyCert by forwarding details to [email protected], including message screenshots, timestamps, and the sender's phone number.

For users who have already opened or executed suspicious .vbs files, the situation demands immediate action. The device should be considered compromised and isolated from internet connectivity immediately to sever the attacker's remote connection. Users must then change every password associated with accounts they access, using a completely separate and verified clean device rather than the infected computer. Any password or sensitive information entered on the compromised system must be treated as exposed and changed regardless of whether the user notices suspicious activity.

Corporate users face additional obligations. Employees using company devices should notify their organisation's IT and security teams without delay. The RAT infection on a corporate machine potentially exposes not just personal information but also proprietary business data, customer information, and internal systems. Many organisations are now implementing mandatory incident response protocols for such scenarios, which may include device reimaging, forensic analysis, and credential rotation across the entire network.

Professional malware removal is strongly recommended for affected systems. Because this particular RAT variant actively hides from standard antivirus detection, attempting to clean an infected device with only consumer-grade security software is likely to fail. Cybersecurity professionals employ advanced tools and techniques, including kernel-level analysis and forensic examination, to locate and remove RAT components completely. Failure to remove the malware thoroughly risks allowing the attacker to maintain persistent access indefinitely.

This campaign underscores a broader vulnerability in how Malaysians interact with digital communication platforms. WhatsApp, while encrypted for message content, remains a social engineering vector because users inherently trust messages from contacts or those presenting themselves as legitimate organisations. Cybercriminals exploit this trust by crafting messages that appear urgent, contextually relevant, or official. Education remains the most effective defence: awareness campaigns emphasising file type recognition, the risks of unsolicited attachments, and proper incident reporting procedures can significantly reduce infection rates. As digital banking becomes increasingly central to Malaysia's financial system, the security implications of compromised personal devices extend far beyond individual users to potentially destabilise broader economic confidence in digital transactions.

Related Stories

BREAKING: Johor Assemblyman Quits UMNO, Drops Bombshell — Claims Royal Palace Ordered State Election

T-Minus 20 Days: PH Officially Announces Johor PRN Ke-16 Candidates Tonight at Bukit Gambir

On Time for Johor: PH's PRN Ke-16 Candidates Announced Under PM Anwar