Banana RAT

Banana RAT is a sophisticated banking Remote Access Trojan (RAT) engineered specifically to target users in Brazil. Security researchers attribute the campaign to the threat group SHADOW-WATER-063, which is closely associated with Brazil’s notorious Tetrade banking malware ecosystem. This broader ecosystem already includes well-known malware families such as Grandoreiro, Mekotio, Casbaneiro, Guildma, and CHAVECLOAK.

The malware provides attackers with extensive control over infected systems, enabling real-time screen monitoring, keyboard and mouse manipulation, keystroke logging, clipboard interception, and the deployment of fake banking or Windows Update screens designed to conceal fraudulent financial activity. Banana RAT is heavily focused on compromising online banking sessions and redirecting financial transactions without the victim noticing.

Infection Chain and Evasion Tactics

Victims are commonly tricked into executing a malicious batch file named Consultar_NF-e.bat. The file is disguised as a legitimate Brazilian electronic invoice known as an NF-e (Nota Fiscal Eletrônica), a format widely recognized by businesses throughout Brazil. Distribution typically occurs through WhatsApp messages, phishing campaigns, or malicious links hosted on attacker-controlled domains.

Banana RAT operates using a Malware-as-a-Service model that relies on large pools of polymorphic payloads. Instead of delivering identical malware samples, the attackers maintain between 100 and 200 pre-generated variants, each uniquely scrambled to evade hash-based detection methods. Every payload is protected by nine layers of obfuscation and encrypted using AES-256.

Once the malicious batch file is launched, a lightweight PowerShell stager downloads the encrypted second-stage payload from the attacker’s infrastructure. The payload is decrypted directly in memory and executed without writing readable code to disk, making the malware significantly harder for traditional antivirus solutions to detect. To further conceal communications, the malware establishes its Command-and-Control (C2) connection over TCP port 443 through typosquatted domains that imitate legitimate Microsoft CDN infrastructure. Traffic is encrypted with AES-256-CBC and authenticated using HMAC tokens linked to the infected machine’s GUID and MAC address, ensuring that only authorized operators can interact with the compromised device.

Full Remote Control and Banking Manipulation

After execution, Banana RAT grants operators direct and interactive control over the infected system. Attackers can stream the desktop across multiple monitors in real time, simulate keyboard and mouse input, and even temporarily disable the victim’s own input devices while unauthorized banking transactions are performed in the background.

The malware’s surveillance capabilities extend beyond remote control. An integrated keylogger continuously records keystrokes into a ring buffer that operators can retrieve on demand. Clipboard monitoring is also implemented, allowing attackers to silently replace copied content, including cryptocurrency wallet addresses, with alternatives controlled by the threat actor.

A major distinguishing feature of Banana RAT is its banking-focused overlay system. The malware monitors active browser window titles and compares them against a hardcoded list of 16 Brazilian financial institutions, including Itaú Unibanco, Bradesco, Santander Brasil, Caixa Econômica Federal, and Banco do Brasil, alongside cryptocurrency exchange platforms operating in Brazil. When a match is detected, the attackers can deploy convincing full-screen overlays that imitate legitimate banking portals or Windows Update notifications, masking the fraudulent actions taking place behind the scenes.

Pix QR Code Hijacking and Long-Term Persistence

Banana RAT includes a dedicated subsystem targeting Pix, Brazil’s instant payment platform. By loading the ZXing barcode processing library at runtime, the malware scans the victim’s screen for Pix QR codes. Once detected, attackers can replace legitimate payment QR codes with fraudulent versions that redirect funds into accounts under their control. Similar QR code manipulation tactics have previously been observed in Brazilian banking trojans such as Mekotio and CHAVECLOAK, reinforcing Banana RAT’s classification within the Tetrade malware ecosystem.

To maintain persistence, the malware creates a concealed Windows Task Scheduler entry configured to relaunch the PowerShell payload every minute for 9,999 days. The scheduled task executes with hidden windows and bypassed execution policies, preventing visible prompts or console windows from appearing. Banana RAT also copies itself into directories designed to resemble legitimate Microsoft diagnostic paths, helping it blend into trusted system locations and evade casual inspection.

Primary Delivery Methods and Warning Signs

Banana RAT campaigns primarily rely on social engineering and deceptive file delivery techniques. Common infection methods include:

• Phishing emails carrying fake invoice attachments or malicious download links
• WhatsApp and chat-platform messages containing disguised NF-e documents
• Drive-by downloads from compromised websites and malicious advertisements
• Pirated software, fake software updates, and cracked applications
• Malicious file formats such as BAT, JavaScript, LNK shortcuts, ZIP or RAR archives, Office documents, EXE installers, and MSI packages

Indicators of Compromise and Defensive Measures

Banana RAT is specifically engineered to steal money from Brazilian banking users in real time. Its combination of live remote access, credential theft, QR code manipulation, and banking overlays allows attackers to fully hijack financial sessions while concealing fraudulent transactions from victims.

Potential indicators of compromise include:

• Unexpected scheduled tasks configured to launch hidden PowerShell commands
• Suspicious outbound connections over encrypted channels impersonating Microsoft infrastructure
• Unusual mouse or keyboard behavior during online banking sessions
• Unauthorized Pix transfers or unexplained cryptocurrency wallet changes
• Hidden PowerShell processes and abnormal banking account activity

Any system suspected of infection should be isolated immediately. Saved banking credentials, clipboard contents, authentication tokens, and cryptocurrency wallet information should be treated as compromised, and all associated passwords and financial access credentials should be reset without delay.