JanelaRAT, a type of financial malware that targets consumers in Latin America (LATAM), is a danger to Microsoft Windows systems. The primary target of this malicious software’s attention is financial and cryptocurrency data from banks and other financial organizations in the LATAM region and is skilled at obtaining sensitive data from compromised systems.
JanelaRAT hides from endpoint security solutions by side-loading DLLs from trusted sources like Microsoft and VMware, according to Gaetano Pellegrino and Sudeep Singh of Zscaler ThreatLabz.
The cybersecurity company that discovered this campaign in June 2023 observed that an unnamed vector is used to send a ZIP archive file containing a Visual Basic Script, even though the precise initial infection method is still unknown. The VBScript is made to deploy a batch file for preserving the malware’s persistence as well as retrieve a second ZIP archive from the attackers’ site.
The JanelaRAT payload itself and a legal executable (identity_helper.exe or vmnat.exe) are both included in this second ZIP bundle. By using DLL side-loading techniques, the later programme is used to start the JanelaRAT payload.
In order to avoid discovery and analysis, JanelaRAT uses sophisticated techniques like string encryption and has the ability to transition to an idle mode when necessary. Notably, it is a significantly modified version of the remote access trojan BX RAT, which was discovered for the first time in 2014.
One of the recently added features of the trojan is the ability to record and send window titles to the bad guys. The compromised system is first registered with the command-and-control (C2) server. Monitoring mouse movements, logging keystrokes, taking screenshots, and obtaining system information are further features of JanelaRAT.
Although JanelaRAT offers a subset of BX RAT’s functionalities, some capabilities—like running shell commands and modifying files and processes—have been left out by the JanelaRAT creator.
The presence of strings written in Portuguese was discovered after a more thorough investigation of the source code, indicating that the author is fluent in that language. References to organizations in the banking and decentralized finance sectors, as well as the sources of VBScript uploads to VirusTotal, traced back to Chile, Colombia, and Mexico, make the connection to LATAM clear.
The researchers concluded, “The employment of either original or adapted commonplace Remote Access Trojans (RATs) is a frequent strategy employed by threat actors in the LATAM region.” They added that JanelaRAT’s approach of collecting and transmitting window titles and its unique focus on gathering financial data from LATAM highlight its accuracy and covert features.