Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Charming Kitten APT Focuses on Targeting Iranian Dissidents in Germany – Active IOCs
August 14, 2023Rewterz Threat Alert – Agent Tesla Malware – Active IOCs
August 15, 2023
Severity
High
Analysis Summary
In Latin America (LATAM), a financial malware named JanelaRAT has emerged as a significant threat, capable of extracting sensitive information from compromised Microsoft Windows systems. Recently, researchers have identified the malware’s operation and its strategic features.
JanelaRAT is specifically designed to target financial and cryptocurrency data within the LATAM region, focusing on bank and financial institutions. The malware employs sophisticated techniques to evade detection, such as abusing DLL side-loading methods sourced from legitimate software like VMWare and Microsoft. This evasion tactic allows JanelaRAT to bypass endpoint detection mechanisms effectively.
Although the initial infection vector remains undisclosed, experts discovered the campaign in June 2023. The attack begins with the delivery of a ZIP archive file containing a Visual Basic Script (VBScript) through an unknown method.
The VBScript plays a pivotal role by fetching a second ZIP archive from the attackers’ server. Additionally, the script drops a batch file that ensures the malware’s persistence on the compromised system. The secondary ZIP archive contains two components: the JanelaRAT payload and a legitimate executable, namely identity_helper.exe or vmnat.exe. The latter executable is employed to initiate the JanelaRAT payload via DLL side-loading.
JanelaRAT implements several advanced measures to evade detection, including string encryption and the ability to transition into an idle state when necessary. This assists the malware in evading analysis. Notably, JanelaRAT is a modified version of the BX RAT, originally discovered in 2014.
Among the updated features, JanelaRAT is capable of capturing windows titles, sending them to threat actors. Prior to this action, the newly infected host is registered with the command-and-control (C2) server. The malware further possesses functionalities to track mouse inputs, record keystrokes, capture screenshots, and collect system metadata.
Interestingly, JanelaRAT offers a subset of the features found in BX RAT. The developer excluded certain functionalities related to shell commands execution, as well as file and process manipulation.
An analysis of the malware’s source code revealed the presence of strings in Portuguese, indicating the author’s familiarity with the language. The connection to LATAM is reinforced by references to banking and decentralized finance organizations, as well as the origin of VBScript uploads to VirusTotal from Chile, Colombia, and Mexico.
Researchers emphasize that the use of original or modified Remote Access Trojans (RATs) is a common practice among threat actors in the LATAM region. The focus of JanelaRAT on harvesting LATAM financial data, along with its method of extracting window titles for transmission, underscores its targeted and covert nature.
Impact
- Sensitive Information Theft
Indicators of Compromise
Domain Name
- cnt-blackrock.geekgalaxy.com
- aigodmoney009.access.ly
- freelascdmx979.couchpotatofries.org
- 439mdxmex.damnserver.com
- 897midasgold.ddns.me
- disrupmoney979.ditchyourip.com
- kakarotomx.dnsfor.me
- skigoldmex.dvrcam.info
- i89bydzi.dynns.com
- infintymexbrock.geekgalaxy.com
MD5
- 526a0b2d142567d8078e24ab0758fad7
- e841f4691e5107fe360b1528384a96f0
- c39f75423862c1525f089a5e966b9d04
- 72c02b3181c763d0e67f060e91635a97
- 897e8483b673db70fdc5d3d111600cac
- c2f4cb0da89b4ea86ab5369a942428eb
- e56d8632db98b07d2b49423f7dd64b42
- 8b83e6b2d891cdf9250e9afd17081eab
SHA-256
- f6edcd66b7c14920bc0f820eaf537bf5ee101c91b618ea3fbbb1b8978a40a775
- cef2b3501cd53bf6eebd1f80ec0d2abcd7b8488943f51b5feac1e2d223b78c95
- e9e864184fd63731a28272c1e5d27154c74e5764bbf017b375afcc64398accc7
- ae466c8aef4fcce140a34ede8e1b7a0f2efe4daac528c3c093e2c44d08d288ef
- a670835f7c69ade92bd64535ce19e388ad906c774ac07f52b7a08b068de5b1bd
- e310b8142f342cd614065283f3219895d8c1e1b9d4ddf566c75f489fa83be05a
- 569ad9fd3a3f7797b1d5bf295bd722404c414b1a351796683b3c71fa83019995
- f1e948cf6b89ae0a0361d8494fac220f62d1481dd15315fe4aa4ee66b01f5573
SHA-1
- 142a574251873d9be9432efdd5de2ebb763fe571
- a05df139e676da07fe0b17adb4e3780b56862327
- 6092804d3e3ff007705e6b5f612d59339c8df159
- 254cccfa8d1b29073c7a5c66e121f060333db400
- 31e778378306b9ce2c1cf2ddcecbfc7d42021763
- 6b06237e92984deb88583c909841dbfc54f57ca1
- b1258dad21ff1f06504e6cc2be41d6183d2c0e0c
- ee0b392ce2df25630030cb10cb3d730d673a4b5a
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Conduct regular cybersecurity awareness training for employees and users, highlighting the risks associated with opening suspicious emails and clicking on unknown links.
- Ensure all systems, applications, and security software are up to date with the latest patches and updates to address known vulnerabilities.
- Implement network segmentation to isolate critical systems and sensitive data from potential infections, limiting the lateral movement of malware.
- Employ application whitelisting to restrict the execution of unauthorized software, preventing the execution of malware like JanelaRAT.
- Deploy advanced email security solutions that can detect and block phishing attempts, preventing the delivery of malicious attachments or links.
- Utilize robust endpoint protection software with behavior-based detection to identify and stop malware activity in real-time.
- Implement a centralized patch management system to ensure timely deployment of security updates across all devices.
- Enforce MFA on critical accounts and systems to add an extra layer of protection against unauthorized access.
- Implement web filtering solutions to block access to known malicious domains and URLs associated with the malware.
- Employ firewalls and intrusion detection/prevention systems to monitor network traffic and detect any suspicious activities.
- Develop a comprehensive incident response plan to outline actions to take in case of a malware outbreak, ensuring a swift and organized response.
- Implement behavioral analytics tools to detect abnormal patterns of behavior indicative of a malware infection.
- Maintain regular and encrypted backups of critical data to ensure recovery in case of data loss due to a malware attack.
- Evaluate and assess the security practices of third-party vendors and suppliers to prevent potential entry points for malware.
- Ensure compliance with relevant data protection regulations and industry standards to protect sensitive financial data.
- Implement continuous network and system monitoring to promptly detect and respond to any suspicious activities.