Rewterz Threat Alert – JanelaRAT: Modified Variant of BX Rat Targeting Financial Institutions in LATAM – Active IOCs

Severity

High

Analysis Summary

In Latin America (LATAM), a financial malware named JanelaRAT has emerged as a significant threat, capable of extracting sensitive information from compromised Microsoft Windows systems. Recently, researchers have identified the malware’s operation and its strategic features.

JanelaRAT is specifically designed to target financial and cryptocurrency data within the LATAM region, focusing on bank and financial institutions. The malware employs sophisticated techniques to evade detection, such as abusing DLL side-loading methods sourced from legitimate software like VMWare and Microsoft. This evasion tactic allows JanelaRAT to bypass endpoint detection mechanisms effectively.

Although the initial infection vector remains undisclosed, experts discovered the campaign in June 2023. The attack begins with the delivery of a ZIP archive file containing a Visual Basic Script (VBScript) through an unknown method.

The VBScript plays a pivotal role by fetching a second ZIP archive from the attackers’ server. Additionally, the script drops a batch file that ensures the malware’s persistence on the compromised system. The secondary ZIP archive contains two components: the JanelaRAT payload and a legitimate executable, namely identity_helper.exe or vmnat.exe. The latter executable is employed to initiate the JanelaRAT payload via DLL side-loading.

JanelaRAT implements several advanced measures to evade detection, including string encryption and the ability to transition into an idle state when necessary. This assists the malware in evading analysis. Notably, JanelaRAT is a modified version of the BX RAT, originally discovered in 2014.

Among the updated features, JanelaRAT is capable of capturing windows titles, sending them to threat actors. Prior to this action, the newly infected host is registered with the command-and-control (C2) server. The malware further possesses functionalities to track mouse inputs, record keystrokes, capture screenshots, and collect system metadata.

Interestingly, JanelaRAT offers a subset of the features found in BX RAT. The developer excluded certain functionalities related to shell commands execution, as well as file and process manipulation.

An analysis of the malware’s source code revealed the presence of strings in Portuguese, indicating the author’s familiarity with the language. The connection to LATAM is reinforced by references to banking and decentralized finance organizations, as well as the origin of VBScript uploads to VirusTotal from Chile, Colombia, and Mexico.

Researchers emphasize that the use of original or modified Remote Access Trojans (RATs) is a common practice among threat actors in the LATAM region. The focus of JanelaRAT on harvesting LATAM financial data, along with its method of extracting window titles for transmission, underscores its targeted and covert nature.

Impact

• Sensitive Information Theft

Indicators of Compromise

Domain Name

• brockmex57.golffan.us
• j1d3c3mex.homesecuritypc.com
• myfunbmdablo99.hosthampster.com
• irocketxmtm.hopto.me
• hotdiamond777.loginto.me
• imrpc7987bm.mmafan.biz
• dmrpc77bm.myactivedirectory.com
• jxjmrpc797bm.mydissent.net
• askmrpc747bm.mymediapc.net

MD5

• 999a9af2cd20a8c4bcf652e3523aafa3
• 51268b9681df47022c44af43f9d57255
• 24c6bff8ebfd532f91ebe06dc13637cb
• 1b72c12db8a37103a37cab5b3b14398c
• 397e407e63128e71089971e3b35dd253
• 172ca00d32a201f5e917bc4d73f720a1
• 505fab6d83ef86a4b12b5808047fa7f1
• 3870e4a4d86a34424ea47bdaa722cd89
• 44d9f29a81a2f2df83b6000165e8a06f
• f71471d7e94ef739a8ee44125023b750
• ec60bc4522fa58bfe9592abde33948a7
• 81618be603bca301ac156ed169444569
• ba2bd2d31cf591480b69e106b0e77b5c
• e2d7101f405ed88aba89bf39d56ee7a8
• 84919bf0583c0e6c04e606f34a1d56f3
• 48c189e5dfe28b9d2b32fd813a991adb
• e684e872213432320c78f56c72c88a8e
• c86fdacd8af28cb08ef406bc6d4fc5a7
• d057c499f440b77cfcad8d859d389915
• 36a8a7407f084b4ae461b6bb4dd0b65c
• 900445a57f462d0df130c3612e6caed7
• 691cc21dae6e320564f74d6372e94286
• b1e1134c82fdfe283948930089474574
• 0cf2707ce1dccd6054813cb9207bf3d4

SHA-256

• 000356ff8bab0222fad9572b640997eed54390280fee8605d5ee3aec4cb01413
• cd4f8137e7732238303257a714252e76b6c1c61d3ba27f5ffc6a82fae5b0497b
• fca602926f8334c86d9329964089f241f0ab454336ab64bcf4e28adc11e092ea
• 5767b8991728ba9de1f7c020b23624b5009b93c1a8457f060f9d6067839f3dda
• cb3c5a0bb741d84f023cc89ad39b16ec62c4b86b1da4549b8f9732410539a281
• 9f4e10007576444e48d3b66d71dc28d397fb1d5ecbb8b11bd1e8f481e1171f5c
• fcec7c2c13b79d76be83315ec21d5d0a3445e2497f5d6bf505a4649e0e47a4d0
• 1ab7f3c6309d6e245441f0ead9c587b58b6c5dd40b7b5144e924807098b7ef54
• 1516e78afb0d539ba9488ce7e07d47e22ad5d471f2f26906cb65c4202f51272a
• d21ee21de45477fdb43c2346f6abd4323276fcf7c4c4e5118dc0b12478b43a84
• a164f41a33bedf65968616d13725e28e4d421c7453415c1cb25ccf54244aaea0
• 330e5e616861cb2a69f2f443a0540a627bd042043aae17a1639ee5240dd20a6a
• 42ea56b5088ae3e9fd2262246f1932e641765f939c49d3b1e819b80cd2f5e153
• 91d2ce1784fcb611ce217295be9e4c111d8a3c0ae9780cb3fc8863766aeb51b8
• 4d92096e380bc35447ca5ff3c72de32cebcf7976aa78fae2b75da7ed8f0aea4c
• 706c808f9784fc92f45c92b88a0cf71b2f8eb3bd389c1606f7b29861d412f1f6
• 20e4c127f9704e78dd48c5db9b03559e182c1a94ed504aa66d8952d04be27398
• 5ba97da57e01390ebf681c96bc5c68d600b06e8d70e92cc3fa4dfcadd02889e5
• 5e601072b7c351f0d24e2aa604daea0ce00f40dc9d45aabc1a36a82cb379d89c
• b81c8945e5759382308d4d5d9a6784f99f625f483cf67a10474c447054ed81fc
• 320da1b2701f5c725087ba2ced38e23c6d58823856675a8b9894b50252f479b9
• 31cfd82d643e9d63fa16516b446b226c5835778ad1f4ffbbc6ec5864424b7911
• 0e7e6e78678e07ac421d673c1f9807d778c9dc94806fe0893d21c75377a89cbf
• 96f6c9b0a98486c4f41692cacd27cef419a4f7af7d7b4ccb3943e53dcb8e8de2

SHA-1

• 4adcdbf9933c47f478bda6058b5d5f237eb84b58
• 876cd37b9591d2c42c414d08f2392e1e511137f0
• b18b61306aba922e4f746ea3d032a8d0a29ecd67
• e676ebf47af3cc412bb92585bb8a7e8475cb6afb
• 83ae5dc85f772c87863d78d97b15178563e35c0f
• 053142b705964971847348a67e14fc697fedd401
• 4e6ded77b20b7fac76a98c1849507b4f8db5079b
• 539fec46b4e148cd40ac547c6088a2bbc4b9bfea
• b9976daf3b503fe540af652ed3cf3f2421a4b9a6
• ae27b9b0c9dfd41a9eb99c0d05e3ba0d28ff8b09
• 9ddc99425f8f9da3491e04c673164f6311f0fb78
• c05783e2837615cc751d7003c0729f83b6891c81
• 9416c6f4dc80684b4222a3fe3dcf932d6443ac52
• f062ea7ef775321a6e3c5abcf726ace13aba889a
• 2eb075fd728097e0963a38c88d38e108a93e1086
• 37577413d134a87b0e9605b38a3e688b862a8daa
• 676c3a0d27693ad4d0449d5ad6696326842449fa
• a9d2d2709cc8dab2e893de6322ed0093af5bdd95
• 2e91f2e51e46ee2557230bdb2fb3da8c7b1a58b7
• 8537133c2e445183dd61f6bfd25c01090bbc7cf3
• 325423f6ae40237953e4a9499a9a844c8a2c6d2e
• 67bba07e645e0d9551cb6b8d4198bcd23a16910e
• 766e0129e7c4b2a6daeee2befe5b87853ba7edac
• 10bb373322796ccb467103bd2f4c7c46dad8b8f8

URL

• http://zimbawhite.is-certified.com/
• http://45.42.160.55/

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Conduct regular cybersecurity awareness training for employees and users, highlighting the risks associated with opening suspicious emails and clicking on unknown links.
• Ensure all systems, applications, and security software are up to date with the latest patches and updates to address known vulnerabilities.
• Implement network segmentation to isolate critical systems and sensitive data from potential infections, limiting the lateral movement of malware.
• Employ application whitelisting to restrict the execution of unauthorized software, preventing the execution of malware like JanelaRAT.
• Deploy advanced email security solutions that can detect and block phishing attempts, preventing the delivery of malicious attachments or links.
• Utilize robust endpoint protection software with behavior-based detection to identify and stop malware activity in real-time.
• Implement a centralized patch management system to ensure timely deployment of security updates across all devices.
• Enforce MFA on critical accounts and systems to add an extra layer of protection against unauthorized access.
• Implement web filtering solutions to block access to known malicious domains and URLs associated with the malware.
• Employ firewalls and intrusion detection/prevention systems to monitor network traffic and detect any suspicious activities.
• Develop a comprehensive incident response plan to outline actions to take in case of a malware outbreak, ensuring a swift and organized response.
• Implement behavioral analytics tools to detect abnormal patterns of behavior indicative of a malware infection.
• Maintain regular and encrypted backups of critical data to ensure recovery in case of data loss due to a malware attack.
• Evaluate and assess the security practices of third-party vendors and suppliers to prevent potential entry points for malware.
• Ensure compliance with relevant data protection regulations and industry standards to protect sensitive financial data.
• Implement continuous network and system monitoring to promptly detect and respond to any suspicious activities.