A new cyber thief has emerged in Latin America, focusing on users' financial data.
JanelaRAT, a new financial Trojan capable of stealing sensitive data from compromised Windows systems, has targeted Latin American users.
JanelaRAT, according to a recent report from research firm Zscaler, primarily seeks financial and cryptocurrency data from banks and financial institutions. To avoid detection, the malware employs the DLL Sideloading technique, which makes use of legitimate application libraries from VMware and Microsoft.
The infection chain's exact beginning is unknown, but Zscaler discovered the malware campaign in June 2023. The attackers deliver a ZIP archive containing VBScript via an unknown vector.
Upon activation, VBScript downloads another ZIP archive from the attackers' server and installs a batch file to remove the malware from the system. The JanelaRAT payload and the legitimate executable file "identity_helper.exe" or "vmnat.exe," which launches the Trojan via the Sideloading DLL, are both included in the archive.
JanelaRAT employs string encryption and sleeps to avoid detection and parsing. JanelaRAT, according to the researchers, is a heavily modified version of the BX RAT Trojan, which was released in 2014.
One of the malware's new features is the ability to intercept open window titles and send them to attackers after registering on the C2 server. JanelaRAT also monitors mouse movements, keystrokes, screenshots, and collects system metadata.
"JanelaRAT only includes a subset of BX RAT features." According to the researchers, "the developer did not implement shell command execution or file and process manipulation functions."
An examination of the malware's source code revealed the presence of lines in Portuguese, indicating that the author at least owns it. True, Portuguese is not only widely spoken in Portugal; it is also spoken by the majority of people in a dozen other countries. As a result, accurately identifying the attacker's country is difficult.
VirusTotal received the malicious VBScript used in the attack primarily from Chile, Colombia, and Mexico.
"The use of original or modified RATs is a common practice among Latin American attackers." "The researchers note that JanelaRAT's focus on collecting financial data, as well as the method of extracting window titles, highlight its targeted and secretive nature."