JanelaRAT Malware

A previously unknown malware threat tracked as JanelaRAT, a financial malware, has been recorded by cybersecurity specialists to be targeting individuals within the Latin America (LATAM) region. This threatening software has the ability to extract sensitive data from Windows-based systems that have been compromised.

JanelaRAT is primarily directed toward acquiring financial and cryptocurrency-related information for banks and financial institutions operating within LATAM. The malware employs DLL side-loading methods sourced from legitimate entities such as VMWare and Microsoft. This technique allows JanelaRAT to avoid detection by endpoint security measures.

The Infection Chain of the JanelaRAT Malware

The exact initial point of the infection chain has not been confirmed so far. However, cybersecurity researchers who identified the campaign in June 2023 have reported that an unknown method is utilized to introduce a ZIP archive file containing a Visual Basic Script.

The VBScript has been meticulously crafted to retrieve a second ZIP archive from the attackers' server. Additionally, it drops a batch file that serves the purpose of establishing the malware's persistence mechanism on the compromised system.

Within the ZIP archive, two key components are bundled together: the JanelaRAT payload and a legitimate executable, namely 'identity_helper.exe' or 'vmnat.exe.' These executables are employed to launch the JanelaRAT payload through the technique of DLL side-loading.

JanelaRAT itself incorporates string encryption and possesses the ability to transition into an idle state when necessary. This functionality aids in eluding analysis and detection. JanelaRAT represents a significantly modified version of BX RAT, a harmful threat that was initially identified back in 2014.

JanelaRAT Possesses a Specialized List of Invasive Capabilities

Among the new threatening functions incorporated into the Trojan is its capability to seize window titles and transmit them to the threat actors. However, JanelaRAT first establishes communication between the newly compromised host and the Command-and-Control (C2) server of the attack operation. JanelaRAT also boasts additional functionalities, including the ability to monitor mouse inputs, record keystrokes, capture screenshots and gather system metadata.

However, according to researchers, the array of features observed within JanelaRAT is just a subset of what BX RAT offers. Apparently, the developers of JanelaRAT chose not to include any functionalities for executing shell commands, manipulating files, or managing processes.

A thorough examination of the source code has unveiled the presence of several strings in Portuguese, indicating a possibility that the creators of the threat are familiar with this particular language. In addition, connections to the Latin America (LATAM) region are found in references to entities active in the banking and decentralized finance sectors. There also is the fact that the VBScript associated with JanelaRAT could be traced to Chile, Colombia and Mexico.