Maverick Malware: Actionable Report for SOC Teams

Maverick Trojan Analysis

The Maverick trojan is a sophisticated Brazilian-targeted banking malware that leverages social engineering via WhatsApp Web to deliver malicious ZIP archives containing LNK shortcuts, which trigger obfuscated PowerShell and .NET loaders for a file-less infection chain. The malware verifies that the victim system is located in Brazil (via time-zone, locale, region checks), then monitors browser sessions and targets a hard-coded list of Brazilian banks, crypto exchanges and payment platforms. Code overlaps link Maverick with the earlier Coyote Trojan campaign, yet its architecture and propagation methods represent an evolution. This report equips SOC teams with the attack flow, key indicators of compromise (IOCs), detection queries, mitigation controls, and simulation guidelines needed to defend against Maverick.

Maverick Malware Investigation

Researchers observed that Maverick’s initial infection vector is a ZIP archive delivered via WhatsApp Web, which contains a malicious LNK file. The LNK executes a PowerShell chain that downloads an initial loader from a C2 server (e.g., sorvetenopote[.]com). The loader decodes and executes a .NET assembly entirely in memory without dropping files to disk. One execution branch installs a WhatsApp infector module using Selenium and WPPConnect to hijack browser sessions and propagate itself. The second branch loads the Maverick banking payload (“Maverick.Agent”) that ensures the victim is Brazilian (time zone between UTC−5 and UTC−2, locale “pt-BR”), establishes persistence via a HealthApp-<GUID>.bat in the Startup folder, monitors browser foreground windows for a compressed/encrypted list of banking URLs, and when a match occurs, decrypts a module and executes it to perform credential theft, keylogging, screenshot capture, overlay phishing, and C2 communication. Numerous code-reuse patterns and identical AES/GZIP encryption routines tie Maverick to Coyote.

Maverick Exploit Mitigation

To defend against Maverick, SOC teams must enforce strict controls and layered defenses. Limit or block the use of WhatsApp Web for employees with access to sensitive systems. Implement phishing-awareness training focusing on ZIP attachments and shortcuts from messaging platforms. Apply strict PowerShell execution policies (e.g., restrict Unsigned scripts, log heavy usage, block IEX DownloadString patterns). Monitor for creation of unusual batch files in startup folders (e.g., “HealthApp-*.bat”). Use endpoint detection and response (EDR) solutions capable of detecting reflective .NET loading and Donut shellcode execution in memory. Block known malicious domains and C2 infrastructure such as sorvetenopote[.]com and zapgrande[.]com at DNS/firewall layers. Maintain up-to-date antivirus/EDR signatures and threat feeds, and disable or monitor automated browser-session hijacking tools.

How to Respond to Maverick Bank Malware

When a potential Maverick infection is detected, incident responders should immediately isolate the affected host and commence forensic investigation. Use detection queries in your SIEM/EDR to find PowerShell invocations of DownloadString from suspicious domains, reflective .NET in-memory execution, and subprocesses launching batch files from Startup folders. Quarantine any batch files named “HealthApp-<GUID>.bat” and block associated C2 domains and IPs. Review browser profiles for unauthorized automation tools such as ChromeDriver or Selenium. Reset banking credentials for any impacted users and enforce multi-factor authentication (MFA) on all financial services access. Ensure thorough cleanup by verifying no residual modules from Maverick. The agent remain, and conduct a full malware sweep on the network.

Maverick Trojan Payload

Simulation Instructions

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

• Attack Narrative & Commands:

  1. Initial Recon (a no‑op for the rule, omitted).
  2. C2 Contact: The adversary launches a PowerShell one‑liner that resolves zapgrande.com and performs an HTTP GET request, mimicking the malware’s beacon. This generates a Sysmon NetworkConnect event with DestinationHostname = zapgrande.com.
  3. Payload Retrieval: Immediately after the GET, the script downloads a small executable payload from the same host, stored in %TEMP%.

  The attacker uses native Invoke-WebRequest to avoid creating a separate malicious binary and to stay “living‑off‑the‑land”.

• Regression Test Script:

  # -------------------------------------------------
  # Simulation script for Maverick C2 domain contact
  # -------------------------------------------------
  $maliciousDomains = @("zapgrande.com","sorvetenopote.com")
  foreach ($domain in $maliciousDomains) {
      try {
          Write-Host "[*] Contacting C2 host: $domain"
          # Resolve DNS (creates DNS query logs)