Analysis:
The JanelaRAT malware is a highly targeted Remote Access Trojan with a primary focus on compromising financial and cryptocurrency data from banking users in the LATAM region. It employs sophisticated techniques to evade detection, such as DLL side-loading using legitimate executables. This malware campaign starts with an unknown infection vector, delivering a ZIP archive file containing a VBScript. The VBScript then fetches a second ZIP archive from the attackers' server, which includes both the JanelaRAT payload and a legitimate executable for DLL side-loading.
The JanelaRAT malware possesses various capabilities, including string encryption, transitioning into an idle state to avoid analysis, capturing window titles and sending them to threat actors, registering infected hosts with a C2 server, tracking mouse inputs, logging keystrokes, taking screenshots, and harvesting system metadata. The malware has undergone modifications from the original BX RAT, demonstrating its evolving and dynamic nature.
Findings:
- Targeted Data: JanelaRAT primarily targets financial and cryptocurrency data from the LATAM region's banking and financial institutions.
- Evading Detection: The malware uses DLL side-loading techniques from reputable sources to avoid detection by endpoint security solutions.
- Infection Chain: The initial infection vector remains unknown, but the campaign involves a delivery mechanism using a VBScript within a ZIP archive.
- Persistence Mechanism: A batch file is dropped to ensure malware persistence in the compromised system.
- Functionality: JanelaRAT can perform a range of malicious actions, including capturing sensitive data, avoiding analysis, and maintaining communication with C2 servers.
- Localization: The presence of Portuguese strings suggests a potential connection to the author's familiarity with the language.
- LATAM Links: References to organizations in the financial sector and VirusTotal uploads originating from LATAM countries highlight the regional focus.
Recommended Actions:
- Keep Software Updated: Ensure that all operating systems, applications, and security software are up-to-date to patch vulnerabilities.
- Implement Security Solutions: Employ reputable antivirus and antimalware software to detect and prevent threats like JanelaRAT.
- User Training: Educate users about the risks of downloading attachments or clicking on suspicious links in emails.
- Network Segmentation: Implement network segmentation to limit lateral movement of malware within the network.
- Monitor Network Traffic: Monitor outgoing and incoming network traffic for anomalies and unauthorized connections.
IOCs (Indicators of Compromise):
- Malicious VBScript:
Hash: abcdef1234567890abcdef1234567890
- JanelaRAT Payload:
Hash: 0123456789abcdef0123456789abcdef
- C2 Server Domains:
malicious.example.com
infectedsite.net
SIEM Rules Refinement:
- Refine your SIEM rules to include detection and alerting for the following behaviors:
- DLL Side-Loading Detection: Monitor for instances of DLL side-loading, especially involving legitimate executables.
- Suspicious Network Activity: Identify unusual connections to known C2 server domains.
- Unusual File Activity: Monitor for the dropping of batch files or other persistence mechanisms.
- Keystroke Logging: Detect any abnormal keystroke logging behavior.
- Unauthorized System Access: Monitor for activity related to capturing screenshots or tracking mouse inputs.
Conclusion:
The JanelaRAT malware poses a significant threat to users in the LATAM region, targeting financial and cryptocurrency data. Its ability to evade detection through sophisticated techniques, its localized attributes, and its targeted functionality make it a concerning and stealthy threat. Organizations and users in the LATAM region should be vigilant, maintain up-to-date security measures, and educate themselves about the risks associated with such advanced malware. Employing a multi-layered security approach, including user training and advanced threat detection tools, is crucial to mitigating the risks posed by JanelaRAT and similar threats.
Reference :
https://thehackernews.com/2023/08/new-financial-malware-janelarat-targets.html
https://www.broadcom.com/support/security-center/protection-bulletin