WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool

A malicious campaign is distributing Visual Basic Script (VBScript) files through WhatsApp direct messages, ultimately installing the ManageEngine Remote Monitoring and Management (RMM) tool. Kaspersky researchers identified this active campaign, which targets users of WhatsApp Desktop and WhatsApp Web. The VBScript files are disguised as legitimate documents, aiming to trick recipients into executing them. Upon execution, the script downloads and installs the ManageEngine RMM tool, which attackers can then leverage for unauthorized access and control of the victim's system. The campaign has been observed targeting users in Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, and Australia. This method exploits the trust users place in direct messages and the perceived legitimacy of RMM software, which is often used for IT support. The attackers are essentially using a legitimate tool for malicious purposes, making detection more challenging. The use of VBScript indicates a reliance on Windows-based systems for this attack vector.