Janeleiro is a banking Trojan that targets business and government entities in Brazil. It uses a rapid deployment method over e-mail with emphasis on collecting data through the attacker's manual control of pop-up tactics. Users should be cautious of opening ZIP e-mail downloads and keep appropriate security solutions for detecting or removing Janeleiro.
A Trojan Takes a Little from njRAT and a Lot from Creative Inspiration
With estimated early builds back in 2018, it's taken time for the security industry to catch up with Janeleiro – a banking Trojan not too different in intentions from the Vizom Malware, Grandoreiro, and other bank account thieves operating in Brazil. This specialized spyware isn't shy about borrowing techniques, code, or infrastructure from others. Still, it also is a somewhat unique, break-out example of a banking Trojan that's 'going its own way' when necessary.
Janeleiro includes some functions from njRAT and uses a ZIP archive file-based installer method that it shares with other banking Trojans targeting Brazil. However, it also uses primarily original code in an unorthodox programming language for its region and a highly-specific, daily-updated GitHub C&C infrastructure. Thankfully for victims, it also omits (at least, in current builds) any anti-anti-virus or anti-security features, even though it can terminate programs' processes, such as Chrome.
Janeleiro's payload is very reminiscent of other Trojans that malware analysts see in Brazil. It monitors the user's windows for keywords related to official banks and notifies the attacker when appropriate. The attacker, in turn, uses multifaceted settings for controlling dynamically adjusted pop-ups.
These pop-up windows imitate banking websites and applications, helping the threat actor encourage fraudulent transactions. They also may collect data through some general-purpose features, such as keylogging, taking screenshots, or hijacking the user's input devices (keyboard and mouse).
An Infection that's Short-Term with Long-Term Consequences
Janeleiro is what one might call a 'high-maintenance' Trojan due to having features and infrastructure that mandate significant attention from its developers. However, the most interesting about Janeleiro is the current deployment model of its 0.0.3 build (the latest as of April 2021). Janeleiro's encryption for its strings and Command & Control details hinges on the current date. In practice, this coding tweak means that Janeleiro deploys and performs all of its intended functions within a single day before ceasing operation (and, presumably, uninstalling itself).
Users should be on the lookout for tactics that involve custom-crafted phishing lures for their companies, along with equally customized banking fraud efforts. At this time, malware experts only can point to attacks against business and government entities. The verifiable targets consist of such different sectors as retail, engineering, manufacturing, and finance.
Malware experts suggest users be highly cautious around e-mails resembling potentially fake invoices, resumes, business articles, and other business information for preventing attacks. Most anti-malware utilities, including default solutions mandated by regional banks, should block or delete Janeleiro.
Janeleiro operates on a fast-track mentality that is as far from automated as possible. Although GitHub is pulling down infrastructure associated with it, its developers aren't likely to take the loss and discontinue their illicit business.