JanelaRAT Unveiled: The Evolving Financial Malware Menace in Latin America

JanelaRAT, a Portuguese-named malware meaning “window,” has emerged as a significant financial threat specifically targeting users in Latin America. This sophisticated Trojan, a modified variant of BX RAT, has been active since June 2023 and continuously evolves to evade detection. Below, we answer key questions about its operations, infection methods, and defenses.

1. What is JanelaRAT and which institutions does it target?

JanelaRAT is a remote access Trojan (RAT) tailored to steal financial and cryptocurrency data from specific banks and financial institutions in Latin America. Its name derives from the Portuguese word for “window,” reflecting its ability to peek into victims’ browser activities. Unlike generic malware, it employs a custom title bar detection mechanism to identify desired websites, then executes malicious actions such as credential theft or transaction manipulation. The threat primarily focuses on users in Portuguese- and Spanish-speaking countries, where it has been observed since mid-2023.

JanelaRAT Unveiled: The Evolving Financial Malware Menace in Latin America — Source: securelist.com

2. How does JanelaRAT differ from its predecessor BX RAT?

JanelaRAT is a modified variant of BX RAT, with two critical distinctions. First, it utilizes a unique title bar detection method to pinpoint target websites in the victim’s browser, rather than relying on simpler URL-matching techniques. Second, its creators continuously update the infection chain and add new features to stay ahead of security solutions. This evolution includes integrating MSI files and refining obfuscation tactics, making JanelaRAT more stealthy and effective than its predecessor.

3. How does the initial infection occur in JanelaRAT campaigns?

Infection begins with a phishing email that mimics pending invoice notifications. Recipients are tricked into clicking a malicious link, which redirects them to a compromised website that downloads a compressed file. This file often contains VBScripts, XML files, other ZIP archives, and BAT files. The multi-stage chain ultimately leads to a ZIP archive containing components for DLL sideloading, which executes JanelaRAT as the final payload. Variations exist depending on the malware version, but the social engineering tactic remains consistent.

4. What does the typical JanelaRAT infection chain look like?

The infection chain is multi-stage and has evolved over time. Initially, the victim downloads a compressed file from a malicious link in an email. That file holds intermediate scripts (VBScript, BAT) and other archives, which eventually trigger the download of a ZIP containing a legitimate PE32 executable and a malicious DLL. The executable sideloads the DLL, which is JanelaRAT. The latest campaigns include MSI files as initial droppers that install the implant and establish persistence. The chain has been streamlined to reduce steps and improve evasion.

5. How has the JanelaRAT infection chain evolved since its emergence?

Since June 2023, the threat actors behind JanelaRAT have refined their techniques. Earlier chains involved more intermediary files (e.g., VBScripts, XML), but the latest versions integrate MSI packages that directly deliver the sideloading executable and DLL. This streamlining reduces the number of installation steps, making the malware harder to detect. Additionally, auxiliary files like configuration files have changed over time, reflecting ongoing attempts to avoid security software. The evolution shows a logical progression toward simpler, more effective infection routes.

6. How does JanelaRAT establish persistence on an infected system?

Persistence is achieved through the MSI dropper in recent campaigns. The MSI defines file paths using environment variables to host binaries, creates a shortcut in the startup folder, and stores a first-run indicator file. The dropper checks for the presence of that indicator file or a specific path; if either is missing, it executes the sideloading mechanism to ensure JanelaRAT runs at startup. This process uses obfuscated file paths and names to hinder analysis and maintain a foothold on the system.

7. How does Kaspersky detect JanelaRAT and what can users do to protect themselves?

Kaspersky solutions detect JanelaRAT as Trojan.Script.Generic or Backdoor.MSIL.Agent.gen. Users are advised to exercise caution with email attachments, especially those claiming to be invoices from unfamiliar senders. Employing robust endpoint protection with real-time scanning and behavioral analysis, keeping software updated, and avoiding clicking suspicious links are key preventive measures. Organizations in Latin America should implement email filtering and user awareness training to mitigate the risk of infection.

Tags: