JanelaRAT: Remote Access Trojan - A Portuguese Malware

Discover the alarming threat posed by JanelaRAT, a new financial Trojan targeting Latin America. Learn how this malware steals sensitive data from compromised Windows systems and what steps are being taken to counteract its devastating effects.

JanelaRAT : A Remote Access Trojan

Users in Latin America have been targeted by a new financial Trojan named JanelaRAT, which is capable of stealing private information from vulnerable Windows systems.

A recent analysis from the research firm Zscaler claims that JanelaRAT mostly searches for digital currencies and financial data from banks and other financial institutions. The malware avoids security by utilizing the DLL Sideloading mechanism and trustworthy application libraries from VMware and Microsoft.

Although Zscaler found the malware campaign in June 2023, it is unknown when the infection chain exactly started. A ZIP archive containing VBScript is sent by the attackers using an unidentified vector.

When VBScript is activated, it downloads a batch file to remove the malware from the machine and another ZIP archive from the attackers' server. The "identity_helper.exe" or "vmnat.exe" executable file, which starts the Trojan using the Sideloading DLL, and the "JanelaRAT payload" are both included in the download.

In order to prevent parsing and detection, JanelaRAT employs string encryption and goes to sleep. The researchers claim that JanelaRAT is a highly modified variant of the 2014 BX RAT Trojan.

One of the new capabilities of the malware is its ability to register on the C2 server and then intercept the titles of open windows and deliver them to attackers. Additionally, JanelaRAT logs keystrokes, screenshots, mouse movements, and system metadata.

Only a portion of the BX RAT features are present in JanelaRAT. According to the researchers, the developer did not include functions for manipulating files and processes or running shell commands.

Portuguese lines were discovered in the malware's source code after examination, proving that the author at least owns it. True, there are a dozen more nations where the majority of the population speaks Portuguese in addition to Portugal. As a result, it is extremely difficult to pinpoint the attacker's country.

VirusTotal received the malicious VBScript used in the malware attack mostly from Chile, Colombia, and Mexico.

Attackers working in the Latin American region often use original or modified RATs. The researchers add that JanelaRAT's prioritized for gathering financial data and its way of capturing window titles highlight its focused and stealthy qualities.

Questions About JanelaRAT

Is JanelaRAT a new form of malware?

Yes, JanelaRAT is a newly discovered financial Trojan that poses a significant threat to users in Latin America.

What is the main focus of JanelaRAT?

JanelaRAT primarily targets banks and financial institutions to steal sensitive financial and cryptocurrency data.

How does JanelaRAT avoid detection?

JanelaRAT employs the DLL Sideloading technique, utilizing legitimate application libraries to bypass security measures and remain undetected.

What languages are associated with JanelaRAT's source code?

JanelaRAT's source code contains lines in Portuguese, hinting at a potential connection to Portuguese-speaking countries in Latin America.

Which regions are most affected by JanelaRAT?

The malicious VBScript used in the attack has been mainly uploaded to VirusTotal from Chile, Colombia, and Mexico.

What makes JanelaRAT unique?

JanelaRAT's unique capabilities include intercepting window titles, tracking mouse movements, capturing keystrokes, and collecting system metadata, all while encrypting its activities.