Full Report
Banks and financial institutions in Latin American countries like Brazil and Mexico have continued to be the target of a malware family called JanelaRAT. A modified version of BX RAT, JanelaRAT is known to steal financial and cryptocurrency data associated with specific financial entities, as well as track mouse inputs, log keystrokes, take screenshots, and collect system metadata. "One of the
Analysis Summary
# Tool/Technique: JanelaRAT
## Overview
JanelaRAT is a sophisticated financial Trojan and a modified variant of **BX RAT**. It primarily targets financial institutions and cryptocurrency users in Latin America, specifically Brazil and Mexico. The malware is designed to monitor user activity in real-time and intervene during banking sessions by using fake overlays and remote access capabilities to exfiltrate credentials and financial data.
## Technical Details
- **Type:** Malware family (Remote Access Trojan)
- **Platform:** Windows
- **Capabilities:** Keylogging, screen capture, DLL side-loading, browser extension injection, mouse/keyboard simulation, and credential harvesting via fake overlays.
- **First Seen:** June 2023 (by Zscaler)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- T1566.001 - Phishing: Spearphishing Attachment (VBS/ZIP)
- T1566.002 - Phishing: Spearphishing Link (Invoices linking to malicious archives)
- **[TA0002 - Execution]**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1204.002 - User Execution: Malicious File (MSI installers/ZIPs)
- **[TA0003 - Persistence]**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (LNK files)
- **[TA0005 - Defense Evasion]**
- T1574.002 - Hijack Execution Flow: DLL Side-Loading
- T1562.001 - Impair Defenses: Disable or Modify Tools (Task Manager manipulation)
- **[TA0007 - Discovery]**
- T1010 - Application Window Discovery (Custom title bar detection)
- **[TA0009 - Collection]**
- T1056.001 - Input Capture: Keylogging
- T1113 - Screen Capture
- T1185 - Browser Session Hijacking (Malicious Chromium extensions)
## Functionality
### Core Capabilities
- **DLL Side-Loading:** Uses legitimate executables to load malicious DLLs to evade detection.
- **Title Bar Monitoring:** Monitors active window titles against a hardcoded list of banks; malicious activity only triggers when a match (e.g., a banking site) is found.
- **Data Exfiltration:** Steals system metadata, browser cookies, history, and financial/cryptocurrency credentials.
- **Remote Control:** Simulates mouse clicks, navigation (TAB, UP, DOWN), and executes arbitrary commands via CMD/PowerShell.
### Advanced Features
- **Browser Extension Injection:** Stealthily modifies Chromium launch parameters (`--load-extension`) to load a malicious add-on that scrapes tab metadata.
- **Fake Overlays:** Displays full-screen images (e.g., "Windows Update" screens) or bank-themed dialog boxes to block the user while harvesting credentials.
- **Stealth Mechanisms:** Manipulates the Windows Task Manager to hide its process and checks for sandboxes/automation tools before full execution.
## Indicators of Compromise
- **File Names:** MSI installers masquerading as legitimate software, ZIP archives containing VBScripts or PDFs.
- **Registry Keys:** Check for persistence entries in `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`.
- **Network Indicators:**
- Communications via raw TCP sockets to C2 servers.
- GitLab (historically used for hosting malicious payloads).
- C2 behavior: [defanged_IP_or_Domain]:[Port]
- **Behavioral Indicators:**
- Creation of LNK files in `%AppData%\Microsoft\Windows\Start Menu\Programs\Startup`.
- Chromium-based browsers launched with the `--load-extension` flag pointing to unexpected directories.
## Associated Threat Actors
- Unknown (Targeting Latin American financial sectors in Brazil, Mexico, Chile, and Colombia).
## Detection Methods
- **Behavioral detection:** Monitor for processes attempting to load DLLs from non-standard directories or modification of browser shortcut targets/launch parameters.
- **File Integrity Monitoring:** Detect unexpected LNK files in the Startup folder.
- **EDR/AV:** Signatures targeting the core JanelaRAT/BX RAT code base and its Go/VBS orchestrator scripts.
## Mitigation Strategies
- **Email Security:** Implement robust filtering for ZIP and MSI attachments from external sources.
- **Endpoint Hardening:** Restrict the execution of VBScripts and PowerShell scripts where not required for business operations.
- **Browser Security:** Enforce policies via GPO to prevent the loading of unsigned or side-loaded browser extensions.
- **User Education:** Train staff to recognize phishing emails disguised as invoices or legal documents.
## Related Tools/Techniques
- **BX RAT:** The base malware from which JanelaRAT was modified.
- **Mekotio/Grandoreiro:** Other Latin American banking Trojans that use similar overlay and DLL side-loading techniques.