Zscaler ThreatLabz has discovered a new financial malware called JanelaRAT that targets users in Latin America (LATAM).
Zscaler ThreatLabz has discovered a new financial malware called JanelaRAT that targets users in Latin America (LATAM). This threat captures sensitive information from compromised Microsoft Windows systems.
According to Zscaler ThreatLabz researchers, Gaetano Pellegrino and Sudeep Singh, JanelaRAT mainly targets financial and cryptocurrency data from LATAM banks and financial institutions. In addition, JanelaRAT evades detection by side-loading legitimate DLLs from legitimate sources (such as VMware and Microsoft).
It is unclear how the campaign was infected, but the cybersecurity company detected a ZIP archive file containing a Visual Basic Script in June 2023. A second ZIP archive is retrieved from the attackers' server by the VBScript and dropped in a batch file to maintain the malware's persistence.
The ZIP archive is packed with two components, the JanelaRAT payload and a legitimate executable -- identity_helper.exe or vmnat.exe -- that's used to launch the former by means of DLL side-loading.
JanelaRAT, on the other hand, employs string encryption and transitions into an idle state when necessary to avoid detection and analysis. It is also a heavily modified variant of BX RAT, discovered in 2014.
Among the new features of the trojan is its ability to capture window titles and send them to the threat actors, but only after registering the newly-infected host with a command-and-control server. Additionally, JanelaRAT can track mouse inputs, log keystrokes, take screenshots, and gather system metadata.
JanelaRAT ships with just a subset of BX RAT's features, the researchers said. TheJanelaRAT developer didn't import shell commands execution functionality or files and processes manipulation functionalities.
As a result of examining the source code closely, Portuguese strings were found, indicating that the author had experience in the language. The strings related to banks and decentralized finance organizations and the upload locations of the VBScript to VirusTotal suggest a connection to LATAM, specifically Chile, Colombia, and Mexico.
A common practice among LATAM threat actors is using original or modified commodity Remote Access Trojans (RATs). The fact that JanelaRAT has focused on harvesting LATAM financial data and extracting window titles for transmission underscores its stealthy and targeted nature.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?