JanelaRAT Targets Windows Users in Latin America

A financial malware known as JanelaRAT is on the prowl, targeting users across Latin America. This malicious software has a knack for extracting sensitive data from Microsoft Windows systems that have fallen victim to its tactics.

The researchers at Zscaler ThreatLabz, namely Gaetano Pellegrino and Sudeep Singh, shed light on JanelaRAT's modus operandi. They reveal that the malware's primary focus is on acquiring financial and cryptocurrency-related information from banks and financial institutions in Latin America. To achieve its nefarious goals, the malware cleverly exploits DLL side-loading techniques, drawing code from legitimate sources such as VMWare and Microsoft. This approach allows JanelaRAT to go undetected by typical endpoint security measures.

JanelaRAT's Mode of Operation

While the exact entry point for the malware's intrusion remains uncertain, the cybersecurity company that unearthed this campaign in June 2023 has shared that an unknown vector is employed to deliver a ZIP archive file. Concealed within this archive is a Visual Basic Script, engineered to perform two key tasks. Firstly, it fetches another ZIP archive from the hackers' server. Secondly, it plants a batch file that ensures the malware's continued presence on the compromised system.

Inside the additional ZIP archive lies a double-edged payload. One component is the JanelaRAT malware itself, while the other is a legitimate executable named identity_helper.exe or vmnat.exe. The latter is employed to launch the former through the strategic technique of DLL side-loading.

JanelaRAT isn't without its tricks to elude scrutiny. It employs string encryption and has the ability to switch to an idle mode when required, effectively evading detection and analysis. This strain of malware is, in fact, a customized version of the previously identified BX RAT, which first emerged in 2014.

A noteworthy update to this trojan is its newfound capacity to seize window titles and relay them to malicious actors, albeit after establishing a connection to the command-and-control (C2) server. Beyond this, JanelaRAT boasts an array of other capabilities: tracking mouse inputs, logging keystrokes, capturing screenshots, and harvesting system metadata.

While JanelaRAT comes with a subset of features compared to its predecessor, BX RAT, its developers opted not to include functionalities for executing shell commands or manipulating files and processes.

A closer inspection of the malware's source code has revealed intriguing traces of the Portuguese language. This linguistic clue suggests that the author of JanelaRAT is well-acquainted with this language.

The Latin American connection becomes apparent through references to entities in the banking and decentralized finance sectors. Furthermore, the geographical origins of the VBScript uploads to VirusTotal point toward Chile, Colombia, and Mexico.