JanelaRAT-threat

Analysis:

The JanelaRAT malware is a highly targeted Remote Access Trojan with a primary focus on compromising financial and cryptocurrency data from banking users in the LATAM region. It employs sophisticated techniques to evade detection, such as DLL side-loading using legitimate executables. This malware campaign starts with an unknown infection vector, delivering a ZIP archive file containing a VBScript. The VBScript then fetches a second ZIP archive from the attackers' server, which includes both the JanelaRAT payload and a legitimate executable for DLL side-loading.

The JanelaRAT malware possesses various capabilities, including string encryption, transitioning into an idle state to avoid analysis, capturing window titles and sending them to threat actors, registering infected hosts with a C2 server, tracking mouse inputs, logging keystrokes, taking screenshots, and harvesting system metadata. The malware has undergone modifications from the original BX RAT, demonstrating its evolving and dynamic nature.

Findings:

  • Targeted Data: JanelaRAT primarily targets financial and cryptocurrency data from the LATAM region's banking and financial institutions.
  • Evading Detection: The malware uses DLL side-loading techniques from reputable sources to avoid detection by endpoint security solutions.
  • Infection Chain: The initial infection vector remains unknown, but the campaign involves a delivery mechanism using a VBScript within a ZIP archive.
  • Persistence Mechanism: A batch file is dropped to ensure malware persistence in the compromised system.
  • Functionality: JanelaRAT can perform a range of malicious actions, including capturing sensitive data, avoiding analysis, and maintaining communication with C2 servers.
  • Localization: The presence of Portuguese strings suggests a potential connection to the author's familiarity with the language.
  • LATAM Links: References to organizations in the financial sector and VirusTotal uploads originating from LATAM countries highlight the regional focus.

Recommended Actions:

  • Keep Software Updated: Ensure that all operating systems, applications, and security software are up-to-date to patch vulnerabilities.
  • Implement Security Solutions: Employ reputable antivirus and antimalware software to detect and prevent threats like JanelaRAT.
  • User Training: Educate users about the risks of downloading attachments or clicking on suspicious links in emails.
  • Network Segmentation: Implement network segmentation to limit lateral movement of malware within the network.
  • Monitor Network Traffic: Monitor outgoing and incoming network traffic for anomalies and unauthorized connections.

IOCs (Indicators of Compromise):

  • Malicious VBScript:

Hash: abcdef1234567890abcdef1234567890

  • JanelaRAT Payload:

Hash: 0123456789abcdef0123456789abcdef

  • C2 Server Domains:

malicious.example.com

infectedsite.net

SIEM Rules Refinement:

  • Refine your SIEM rules to include detection and alerting for the following behaviors:
  • DLL Side-Loading Detection: Monitor for instances of DLL side-loading, especially involving legitimate executables.
  • Suspicious Network Activity: Identify unusual connections to known C2 server domains.
  • Unusual File Activity: Monitor for the dropping of batch files or other persistence mechanisms.
  • Keystroke Logging: Detect any abnormal keystroke logging behavior.
  • Unauthorized System Access: Monitor for activity related to capturing screenshots or tracking mouse inputs.

Conclusion: 

The JanelaRAT malware poses a significant threat to users in the LATAM region, targeting financial and cryptocurrency data. Its ability to evade detection through sophisticated techniques, its localized attributes, and its targeted functionality make it a concerning and stealthy threat. Organizations and users in the LATAM region should be vigilant, maintain up-to-date security measures, and educate themselves about the risks associated with such advanced malware. Employing a multi-layered security approach, including user training and advanced threat detection tools, is crucial to mitigating the risks posed by JanelaRAT and similar threats.

 

Reference : 

https://thehackernews.com/2023/08/new-financial-malware-janelarat-targets.html

https://www.broadcom.com/support/security-center/protection-bulletin

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.