Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
In Latin America, a new cyberwizard has been launched, focused on users financial data.
A new financial Trojan called JanelaRAT, capable of stealing sensitive data from compromised Windows systems, has targeted Latin American users.
According to a recent report from research firm Zscaler, JanelaRAT mainly hunts for financial and cryptocurrency data from banks and financial institutions. The malware uses the DLL Sideloading technique, using libraries of legitimate applications from VMware and Microsoft to bypass the protection.
The exact beginning of the infection chain is unknown, but Zscaler specialists discovered the malicious campaign in June 2023. Attackers use an unknown vector to deliver a ZIP archive containing VBScript.
After activation, VBScript downloads another ZIP archive from the attackers server and installs a batch file to fix the malware in the system. The archive contains two components: the JanelaRAT payload and the legitimate executable file "identity_helper.exe" or "vmnat.exe", which runs the Trojan via DLL Sideloading.
JanelaRAT uses string encryption and goes into sleep mode to avoid parsing and detection. According to the researchers, JanelaRAT is a highly modified version of the BX RAT trojan released in 2014.
One of the new features of the malware is the ability to intercept open window headers and send them to attackers after registering on the C2 server. JanelaRAT also tracks mouse movements, captures keystrokes, takes screenshots, and collects system metadata.
"JanelaRAT has only a subset of BX RAT functions. The developer did not implement the execution of shell commands or file and process manipulation functions," the researchers say.
Analysis of the malware's source code showed that there are lines in Portuguese that indicate that the author is at least proficient in it. True, Portuguese is spoken not only in Portugal — there are about a dozen other countries in which the majority of the population speaks this language. Therefore, it is hardly possible to accurately identify the attacker's country.
The malicious VBScript used in the attack was uploaded to VirusTotal mainly from Chile, Colombia, and Mexico.
"The use of original or modified rats is a common practice of attackers operating in the Latin American region. And JanelaRAT's focus on collecting financial data and its method of extracting window titles highlight its purposeful and secretive nature, " the researchers note.
A new financial Trojan called JanelaRAT, capable of stealing sensitive data from compromised Windows systems, has targeted Latin American users.
According to a recent report from research firm Zscaler, JanelaRAT mainly hunts for financial and cryptocurrency data from banks and financial institutions. The malware uses the DLL Sideloading technique, using libraries of legitimate applications from VMware and Microsoft to bypass the protection.
The exact beginning of the infection chain is unknown, but Zscaler specialists discovered the malicious campaign in June 2023. Attackers use an unknown vector to deliver a ZIP archive containing VBScript.
After activation, VBScript downloads another ZIP archive from the attackers server and installs a batch file to fix the malware in the system. The archive contains two components: the JanelaRAT payload and the legitimate executable file "identity_helper.exe" or "vmnat.exe", which runs the Trojan via DLL Sideloading.
JanelaRAT uses string encryption and goes into sleep mode to avoid parsing and detection. According to the researchers, JanelaRAT is a highly modified version of the BX RAT trojan released in 2014.
One of the new features of the malware is the ability to intercept open window headers and send them to attackers after registering on the C2 server. JanelaRAT also tracks mouse movements, captures keystrokes, takes screenshots, and collects system metadata.
"JanelaRAT has only a subset of BX RAT functions. The developer did not implement the execution of shell commands or file and process manipulation functions," the researchers say.
Analysis of the malware's source code showed that there are lines in Portuguese that indicate that the author is at least proficient in it. True, Portuguese is spoken not only in Portugal — there are about a dozen other countries in which the majority of the population speaks this language. Therefore, it is hardly possible to accurately identify the attacker's country.
The malicious VBScript used in the attack was uploaded to VirusTotal mainly from Chile, Colombia, and Mexico.
"The use of original or modified rats is a common practice of attackers operating in the Latin American region. And JanelaRAT's focus on collecting financial data and its method of extracting window titles highlight its purposeful and secretive nature, " the researchers note.
