Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label JanelaRAT. Show all posts
phishing
Banks Brazil Data JanelaRAT malware Mexico phishing

JanelaRAT Malware Attacks Banks in Brazil and Mexico, Steals Data


Banks in Latin American countries such as Mexico and Brazil have been victims of continuous malware attacks by a strain called JanelaRAT. 

An upgraded variant of BX RAT, JanelaRAT, can steal cryptocurrency and financial data from financial organizations, trace mouse inputs, log keystrokes, collect system information, and take screenshots.  

In a recent report, Kaspersky said, “One of the key differences between these trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims' browsers and perform malicious actions.” The hackers behind the JanelaRAT attacks constantly modify the malware versions by adding new features. 

Security

Telemetry data collected by a Russian cybersecurity firm suggests that around 11,695 attacks happened in Mexico and 14,739 in Brazil in 2025. We do not know how many of these led to a successful exploit. 

In June 2023, Zscaler first discovered JanelaRAT in the wild, leveraging ZIP archives containing a VBScript to download another ZIP file, which came with a genuine executable and a DLL payload. The hacker then deploys the DLL side-loading tactic to launch the malware. 

Distribution tactic

An analysis by KPMG in 2025 revealed that the malware is circulated via rogue MSI installer files impersonating as a legit software hosted on trusted sites like GitLab. 

"Upon execution, the installer initiates a multi-stage infection process using orchestrating scripts written in Go, PowerShell, and batch,” KPMG said. "These scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and supporting components."

The scripts are also made to recognize installed Chromium-based browsers and secretly configure their launch parameters to install the extension. The browser add-on collects system data, cookies, browsing history, tab metadata, and installed extensions. It also triggers actions depending upon URL pattern matches. 

Phishing campaign

The recent malware campaign found by Kaspersky reveals that phishing emails disguised as due invoices are used to lure recipients into downloading a PDF file by opening a link, causing the download of a ZIP archive that starts the attack chain, including DLL side-loading to deploy JanelaRAT.

Since May 2024, JanelaRAT malware has moved from VBScripts to MSI installers, which work as a dropper for the trojan via DLL side-loading and build persistence in the victim system by making a Windows Shortcut (LNK) in the Startup folder that leads to the executable. 

Victim tracking

According to Kaspersky, “The malware determines if the victim's machine has been inactive for more than 10 minutes by calculating the elapsed time since the last user input.” 

If the inactivity is over ten minutes, “the malware notifies the C2 by sending the corresponding message. Upon user activity, it notifies the threat actor again. This makes it possible to track the user's presence and routine to time possible remote operations," Kaspersky said.

Read more »
Subscribe to: Comments (Atom)