JanelaRAT is a financial malware that specifically targets FinTech users in Latin America (LATAM) [1] [5]. It focuses on infiltrating the financial sector [3], particularly cryptocurrency and banking data from LATAM institutions [3].

Description

This newly discovered malware, uncovered by researchers at Zscaler ThreatLabz, is capable of extracting sensitive information from compromised Microsoft Windows systems [1] [3] [4] [5] [7]. It utilizes sophisticated techniques [3], such as DLL side-loading from legitimate sources like VMWare and Microsoft [5] [6], to evade detection by typical endpoint security measures and ensure its longevity on compromised systems. JanelaRAT is a modified version of the BX RAT from 2014 and employs encryption to cloak its commands [3]. To avoid detection [1] [2] [3] [4] [5] [6], it has a self-protection mechanism to remain silent and avoid suspicious behavior [2]. The exact entry vector is unknown [3], but it is delivered through a ZIP archive file containing a Visual Basic Script [3] [7]. JanelaRAT is packed with two components – the JanelaRAT payload and a legitimate executable [4]. It can track mouse inputs, log keystrokes [1] [4], take screenshots [1] [4] [7], and harvest system metadata [1] [4] [7]. However, it does not have shell command execution or file/process manipulation functionalities [4]. The malware’s method of extracting window titles for transmission highlights its targeted and stealthy nature [1] [5]. The VBScript uploads to VirusTotal that are related to JanelaRAT originated from Chile [5], Colombia [1] [5], and Mexico [1] [5].

Conclusion

To mitigate the risks posed by JanelaRAT [3], proactive measures such as cautiousness with suspicious emails and links [3], regular system updates [3], robust security software [3], and malware detection tools are recommended [3]. This new strain of BX Rat has been highlighted by Zscaler, a cloud cybersecurity company [2]. The campaign was discovered in June 2023 and JanelaRAT is specifically designed for data collection in LATAM. The use of remote access trojans (RATs) is common among threat actors operating in the LATAM region [5] [7].

References

[1] https://thehackernews.com/2023/08/new-financial-malware-janelarat-targets.html
[2] https://cybermagazine.com/cyber-security/zscaler-team-discover-threat-actor-targeting-latam-fintechs
[3] https://be4sec.com/2023/08/14/a-new-malware-targeting-latin-america/
[4] https://cyber.vumetric.com/security-news/2023/08/14/new-financial-malware-janelarat-targets-latin-american-users/
[5] https://www.redpacketsecurity.com/new-financial-malware-janelarat-targets-latin-american-users/
[6] https://www.cyclonis.com/janelarat-targets-windows-users-in-latin-america/
[7] https://www.linkedin.com/pulse/nuevo-malware-financiero-janelarat-apunta-usuarios-latinoamericanos/