In Latin America (LATAM), a financial malware named JanelaRAT has emerged as a significant threat, capable of extracting sensitive information from compromised Microsoft Windows systems. Recently, researchers have identified the malware’s operation and its strategic features.
JanelaRAT is specifically designed to target financial and cryptocurrency data within the LATAM region, focusing on bank and financial institutions. The malware employs sophisticated techniques to evade detection, such as abusing DLL side-loading methods sourced from legitimate software like VMWare and Microsoft. This evasion tactic allows JanelaRAT to bypass endpoint detection mechanisms effectively.
Although the initial infection vector remains undisclosed, experts discovered the campaign in June 2023. The attack begins with the delivery of a ZIP archive file containing a Visual Basic Script (VBScript) through an unknown method.
The VBScript plays a pivotal role by fetching a second ZIP archive from the attackers’ server. Additionally, the script drops a batch file that ensures the malware’s persistence on the compromised system. The secondary ZIP archive contains two components: the JanelaRAT payload and a legitimate executable, namely identity_helper.exe or vmnat.exe. The latter executable is employed to initiate the JanelaRAT payload via DLL side-loading.
JanelaRAT implements several advanced measures to evade detection, including string encryption and the ability to transition into an idle state when necessary. This assists the malware in evading analysis. Notably, JanelaRAT is a modified version of the BX RAT, originally discovered in 2014.
Among the updated features, JanelaRAT is capable of capturing windows titles, sending them to threat actors. Prior to this action, the newly infected host is registered with the command-and-control (C2) server. The malware further possesses functionalities to track mouse inputs, record keystrokes, capture screenshots, and collect system metadata.
Interestingly, JanelaRAT offers a subset of the features found in BX RAT. The developer excluded certain functionalities related to shell commands execution, as well as file and process manipulation.
An analysis of the malware’s source code revealed the presence of strings in Portuguese, indicating the author’s familiarity with the language. The connection to LATAM is reinforced by references to banking and decentralized finance organizations, as well as the origin of VBScript uploads to VirusTotal from Chile, Colombia, and Mexico.
Researchers emphasize that the use of original or modified Remote Access Trojans (RATs) is a common practice among threat actors in the LATAM region. The focus of JanelaRAT on harvesting LATAM financial data, along with its method of extracting window titles for transmission, underscores its targeted and covert nature.