JanelaRAT: Latin American Cyber Threat Targeting Financial Data

Introduction

JanelaRAT, named after the Portuguese word for 'window,' is a sophisticated malware family designed to steal financial and cryptocurrency information from users in Latin America. Active since June 2023, this Trojan is a modified version of BX RAT, featuring a unique title bar detection mechanism that identifies target banking websites in a victim's browser. Threat actors behind JanelaRAT continuously update its infection chains and capabilities, making it a persistent and evolving danger.

Background

JanelaRAT specifically targets financial institutions and cryptocurrency platforms in Latin America. Its key differentiator from BX RAT is the custom title bar detection, which allows it to activate malicious actions only when the user visits a predefined website. This selective behavior helps evade detection. Kaspersky solutions identify JanelaRAT as Trojan.Script.Generic and Backdoor.MSIL.Agent.gen.

Infection Chain

Initial Vector

Campaigns begin with phishing emails that mimic pending invoice notifications. The email contains a malicious link that downloads a PDF file, but in reality redirects victims to a malicious website hosting a compressed archive. The archive typically includes VBScripts, XML files, additional ZIP archives, and BAT files. These components work together to eventually download a ZIP containing the final JanelaRAT payload, delivered via DLL sideloading.

Multi-Stage Process

The infection chain is multi-stage. The user clicks a link, downloads a PDF-like file, then is redirected to download a compressed archive. The archive unpacks scripts and configuration files that orchestrate the download of a second-stage ZIP. This ZIP contains a legitimate executable and a malicious DLL—the JanelaRAT backdoor. The executable sideloads the DLL, executing the malware.

Evolution of the Infection Chain

Over time, the threat actors have streamlined the process. Earlier versions used more steps, but the latest observed campaign integrates MSI files as an initial dropper. This MSI file directly delivers a legitimate PE32 executable and a DLL that is actually JanelaRAT. This reduces the number of steps and helps evade analysis. Additionally, auxiliary files like configuration files have been observed to change frequently, indicating an ongoing effort to adapt detection avoidance methods.

Technical Details

Initial Dropper (MSI File)

The MSI file acts as the first stage. It obfuscates file paths and names to hinder analysis. It uses ActiveX objects to manipulate the file system and execute malicious commands. The dropper defines paths using environment variables to place binaries, creates a startup shortcut for persistence, and stores a first-run indicator file. It checks for the existence of this indicator and a specific path; if either is missing, it proceeds with installation.

Persistence Mechanism

Persistence is achieved through a shortcut placed in the Windows startup folder. The malware ensures it runs every time the system boots. The first-run indicator file prevents re-infection, allowing the dropper to avoid rewriting files.

DLL Sideloading

The final payload uses DLL sideloading, a technique where a legitimate executable loads a malicious DLL from the same directory instead of the system path. This allows JanelaRAT to run under the guise of a trusted application, evading signature-based detection.

Detection and Protection

Kaspersky products detect JanelaRAT as Trojan.Script.Generic and Backdoor.MSIL.Agent.gen. Users in Latin America, especially those in financial sectors, should be cautious with unsolicited emails containing invoice-related links. Up-to-date security software and employee training on phishing are essential defenses.

Conclusion

JanelaRAT represents a targeted threat to Latin American financial users. Its evolving infection chain, use of DLL sideloading, and region-specific targeting make it a persistent risk. By understanding its mechanisms, organizations can better defend against this and similar threats.