Rewterz Threat Alert – Modified Variant of BX Rat, JanelaRAT, Targeting Financial Institutions in LATAM – Active IOCs

Severity

High

Analysis Summary

In Latin America (LATAM), a financial malware named JanelaRAT has emerged as a significant threat, capable of extracting sensitive information from compromised Microsoft Windows systems. Recently, researchers have identified the malware’s operation and its strategic features.

JanelaRAT is specifically designed to target financial and cryptocurrency data within the LATAM region, focusing on bank and financial institutions. The malware employs sophisticated techniques to evade detection, such as abusing DLL side-loading methods sourced from legitimate software like VMWare and Microsoft. This evasion tactic allows JanelaRAT to bypass endpoint detection mechanisms effectively.

Although the initial infection vector remains undisclosed, experts discovered the campaign in June 2023. The attack begins with the delivery of a ZIP archive file containing a Visual Basic Script (VBScript) through an unknown method.

The VBScript plays a pivotal role by fetching a second ZIP archive from the attackers’ server. Additionally, the script drops a batch file that ensures the malware’s persistence on the compromised system. The secondary ZIP archive contains two components: the JanelaRAT payload and a legitimate executable, namely identity_helper.exe or vmnat.exe. The latter executable is employed to initiate the JanelaRAT payload via DLL side-loading.

JanelaRAT implements several advanced measures to evade detection, including string encryption and the ability to transition into an idle state when necessary. This assists the malware in evading analysis. Notably, JanelaRAT is a modified version of the BX RAT, originally discovered in 2014.

Among the updated features, JanelaRAT is capable of capturing windows titles, sending them to threat actors. Prior to this action, the newly infected host is registered with the command-and-control (C2) server. The malware further possesses functionalities to track mouse inputs, record keystrokes, capture screenshots, and collect system metadata.

Interestingly, JanelaRAT offers a subset of the features found in BX RAT. The developer excluded certain functionalities related to shell commands execution, as well as file and process manipulation.

An analysis of the malware’s source code revealed the presence of strings in Portuguese, indicating the author’s familiarity with the language. The connection to LATAM is reinforced by references to banking and decentralized finance organizations, as well as the origin of VBScript uploads to VirusTotal from Chile, Colombia, and Mexico.

Researchers emphasize that the use of original or modified Remote Access Trojans (RATs) is a common practice among threat actors in the LATAM region. The focus of JanelaRAT on harvesting LATAM financial data, along with its method of extracting window titles for transmission, underscores its targeted and covert nature.

Impact

• Sensitive Information Theft

Indicators of Compromise

Domain Name

• myinfintyme09.geekgalaxy.com
• infintymexb.geekgalaxy.com
• cinfintymex.geekgalaxy.com
• 9mdxmex.damnserver.com
• ikmidasgold.ddns.me
• rexsrupmoney979.ditchyourip.com
• kktkarotomx.dnsfor.me
• megaskigoldmex.dvrcam.info
• izt89bydzi.dynns.com
• zeedinfintymexbrock.geekgalaxy.com

MD5

• d1684fa84602a2d560b47dfe0f0779b4
• 2cbee69042a4d85ecfe6e55639b1b42a
• da48cd57e4b45cba63716bc2d53c4c76
• 897e8483b673db70fdc5d3d111600cac
• e166bd80341871c9d752537f80584334
• 42eb945b1b881b2319a74af06b1037db
• e841f4691e5107fe360b1528384a96f0
• c39f75423862c1525f089a5e966b9d04
• 3ec6342286d5b699bc1fb2ef6598f906
• 526a0b2d142567d8078e24ab0758fad7
• 3cbe59c309f803fffdadcc69d3578a53

SHA-256

• 232930c8ab38497c67d1f2b4ca21945afb193b2d63c107d67b7d6961d990738a
• fe1fb6137b8995eac1c2d4adb928fe6dfbc479b52b19a7dba84ff5be9d730e9a
• dc919d4727bdf3834c77890da795490505c2e75d06bc205bd9f7ab73d1ddfb1a
• a670835f7c69ade92bd64535ce19e388ad906c774ac07f52b7a08b068de5b1bd
• 4fcf6d8e463adc77621dcc2ae0c1dbb8b653737e3f12a2b48f7a17ef116ff5fe
• adf1786364d43f70e70be770728b0e89b6a0ea164cd8f088dee87d32342edf97
• cef2b3501cd53bf6eebd1f80ec0d2abcd7b8488943f51b5feac1e2d223b78c95
• e9e864184fd63731a28272c1e5d27154c74e5764bbf017b375afcc64398accc7
• 16748fc7cc71ff6568a09d5ea4d4ac2fa23667b9aa9dd0766e425bb18f842aa8
• f6edcd66b7c14920bc0f820eaf537bf5ee101c91b618ea3fbbb1b8978a40a775
• c206df6a4e25c65d77a65358093d81d07072169598abb48e14e0749b12f096a6

SHA-1

• ac6de6bc3ffa762f6b511f1e04b22a5c498ec7fd
• cc7f458199e293a27090da8559c20cb291689bab
• ee9a1e0831534178bd4ed44b6aa58c7e503c9954
• 31e778378306b9ce2c1cf2ddcecbfc7d42021763
• ae7274173c2c1d5c0b94f583d4139f386183cde3
• ee5ab54197efb6c9ee3978a49caa0cc80d086b7a
• a05df139e676da07fe0b17adb4e3780b56862327
• 6092804d3e3ff007705e6b5f612d59339c8df159
• 61133c709a35a37532cc1d49a0213b827edbedb3
• 142a574251873d9be9432efdd5de2ebb763fe571
• 569e2eb0781084699b115f4502163aeea79232a3

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders