Full Report
Kaspersky GReAT experts describe the latest JanelaRAT campaign detailing infection chain and malware functionality updates.
Analysis Summary
# Tool/Technique: JanelaRAT
## Overview
JanelaRAT is a specialized Remote Access Trojan (RAT) primarily targeting financial institutions and online banking users in the Latin American region (LATAM). It focuses on harvesting financial credentials and sensitive user data by utilizing window-title tracking and automated data exfiltration. The malware is known for its multi-staged infection chain involving DLL side-loading and the abuse of legitimate system components.
## Technical Details
- **Type:** Malware family (Remote Access Trojan)
- **Platform:** Windows
- **Capabilities:** Screen capture, keylogging, window monitoring, C2 communication, data exfiltration.
- **First Seen:** Approximately 2022 (with significant updates in late 2023/2024 campaigns).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.001 - Phishing: Spearphishing Attachment]
- **[TA0005 - Defense Evasion]**
- [T1574.002 - Hijack Execution Flow: DLL Side-Loading]
- [T1218.011 - System Binary Proxy Execution: Rundll32]
- **[TA0007 - Discovery]**
- [T1010 - Application Window Discovery]
- [T1057 - Process Discovery]
- **[TA0009 - Collection]**
- [T1113 - Screen Capture]
- [T1056.001 - Input Capture: Keylogging]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols]
## Functionality
### Core Capabilities
- **Window Monitoring:** Actively scans the titles of active windows to identify when a user navigates to a banking website or financial application.
- **Data Theft:** Captures keystrokes and takes screenshots specifically when the target windows are active.
- **Information Gathering:** Collects system metadata including OS version, computer name, and installed security software.
### Advanced Features
- **Dynamic C2 Resolution:** Uses encrypted strings or specific tags within the malware code to determine C2 addresses, making it harder for static analysis to identify infrastructure.
- **Anti-Analysis:** Employs multiple layers of obfuscation and checks for the presence of sandboxes or virtual machine environments.
- **DLL Side-Loading:** Utilizes a signature-verified, legitimate executable to load a malicious DLL (the JanelaRAT payload) to bypass endpoint security products.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `9e5786479f66835de799e037cc730fed3697eb4b20723842c97486e927891823` (Malicious DLL)
- `3da56ec236780998f483c072483ad398696874bc05669f709149451996504a57` (Infection Wrapper)
- **File Names:** `identity.dll`, `mshta.exe` (abused), `rundll32.exe` (abused).
- **Network Indicators:**
- `http[:]//janelashost[.]com/api/`
- `http[:]//cloudserv-latam-data[.]net/`
- **Behavioral Indicators:** Unexpected execution of `rundll32.exe` loading non-standard DLLs from `%TEMP%` or `%APPDATA%` directories.
## Associated Threat Actors
- While a specific named group (e.g., APT#) is not always attributed, the TTPs align closely with several **Brazilian-origin financial crime groups** targeting the LATAM region.
## Detection Methods
- **Signature-based:** Standard AV signatures for identified JanelaRAT samples and their corresponding side-loading loaders.
- **Behavioral:** Monitoring for "Squiblydoo" (T1218.005) or unusual DLL side-loading in paths where legitimate binaries should not be loading external dependencies.
- **YARA Rule:**
yara
rule JanelaRAT_Detection {
strings:
$str1 = "get_ActiveWindow"
$str2 = "janela" // Portuguese for "window"
$str3 = "PostData"
condition:
uint16(0) == 0x5A4D and all of them
}
## Mitigation Strategies
- **Endpoint Protection:** Use EDR solutions to monitor for parent-child process anomalies (e.g., a browser launching a scripting engine or a system tool loading an unsigned DLL).
- **Application Whitelisting:** Enforce policies that restrict the execution of binaries from temporary or user-profile directories.
- **Email Security:** Implement robust attachment scanning and link isolation to prevent the initial infection vector.
## Related Tools/Techniques
- **Mekotio/Grandoreiro:** Other prominent LATAM banking Trojans that share similar geographical focus and side-loading TTPs.
- **DLL Side-Loading:** The primary delivery mechanism used by JanelaRAT to maintain a low profile.