New Financial Malware 'JanelaRAT' Targets Latin American Banks and Crypto Users

By

Breaking: JanelaRAT Malware Campaigns Surge Across Latin America

A sophisticated Trojan named JanelaRAT is actively stealing financial and cryptocurrency data from users in Latin America, according to new threat intelligence released today. The malware, which has been operational since June 2023, specifically targets data from major banks and financial institutions in the region. Kaspersky experts warn that the threat actors behind JanelaRAT are continuously updating their techniques.

Background

JanelaRAT takes its name from the Portuguese word for 'window,' a nod to its custom title bar detection mechanism. This feature sets it apart from its predecessor, BX RAT, by allowing the malware to identify specific websites in victims' browsers and then execute malicious actions. Kaspersky solutions detect JanelaRAT as Trojan.Script.Generic and Backdoor.MSIL.Agent.gen.

Infection Chain: From Fake Invoice to Full Compromise

Initial infection begins with phishing emails that mimic pending invoice delivery, tricking recipients into clicking a malicious link that leads to a compromised website. From there, a compressed file is downloaded, typically containing VBScripts, XML files, ZIP archives, and BAT files. These components ultimately deliver a ZIP archive designed for DLL sideloading, deploying JanelaRAT as the final payload.

'The attackers are constantly evolving to evade detection,' said a Kaspersky security researcher. In the latest campaigns, the infection chain has evolved to integrate MSI files, which act as a streamlined dropper. 'We are seeing a logical progression where the number of installation steps is reduced, making the attack quicker and harder to trace,' the researcher added.

Initial Dropper and Persistence

The MSI file acts as an initial dropper, obfuscating file paths and names to hinder analysis. It uses ActiveX objects to manipulate the file system and execute malicious commands, establishing persistence on the infected system. The dropper creates shortcuts in the startup folder and stores a first-run indicator to avoid re-infection.

What This Means

Users in Latin America face an elevated risk of financial theft from these targeted attacks. The malware's ability to stay under the radar by frequently updating its infection chain means traditional defenses may not suffice. Experts urge strong anti-malware solutions, caution against clicking suspicious email links, and recommend verifying invoice requests through official channels. 'Vigilance is key,' the Kaspersky researcher emphasized. 'Organizations should also monitor for unusual DLL sideloading activity.'

Related Articles

• 8 Revelations From the Musk v. Altman Trial: Inside OpenAI's Birth
• Streamlining Documentation Builds: Default Targets Change on docs.rs
• Building a Secure Agent Environment with MicroVMs: A Step-by-Step Guide
• Mac Mini Evolution: A Comprehensive Guide to the $799 Starting Price and 512GB Storage Shift
• Aqara Camera Hub G350: The First Matter-Certified Camera Brings Interoperability to Smart Home Security
• Building Trust at the Hardware Layer: How Azure Integrated HSM Goes Open Source
• Understanding ANSI Escape Code Standards: A Q&A Guide
• How to Analyze Apple’s Record R&D Spending as a Signal of AI Investment