JanelaRAT

The latest attack chain documented by Kaspersky shows that phishing emails disguised as outstanding invoices are used to trick recipients into downloading a PDF file by clicking on a link, resulting in the download of a ZIP archive...

Initial infection vectors have evolved from ZIP archives containing VBScript to rogue MSI installer files, often distributed via platforms like GitLab.

It starts with emails mimicking the delivery of pending invoices to trick victims into downloading a PDF file by clicking a malicious link.

Upon execution, the installer initiates a multi-stage infection process using orchestrating scripts written in Go, PowerShell, and batch...

Upon execution, the installer initiates a multi-stage infection process using orchestrating scripts written in Go, PowerShell, and batch...

Some of the supported commands include ... Running commands using "cmd.exe" and PowerShell commands or scripts

First detected in the wild by Zscaler in June 2023, JanelaRAT has leveraged ZIP archives containing a Visual Basic Script (VBScript) to download a second ZIP file...

...phishing emails disguised as outstanding invoices are used to trick recipients into downloading a PDF file by clicking on a link, resulting in the download of a ZIP archive that initiates the aforementioned attack chain...

This code is designed to create several ActiveX objects to manipulate the file system and execute malicious commands.

These scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and supporting components.

The malware utilizes DLL side-loading techniques for installation and establishes persistence through Windows Startup folders.

...establish persistence on the host by creating a Windows Shortcut (LNK) in the Startup folder that points to the executable.

The malware utilizes DLL side-loading techniques for installation and establishes persistence through Windows Startup folders.

...establish persistence on the host by creating a Windows Shortcut (LNK) in the Startup folder that points to the executable.

The MSI file acts as an initial dropper designed to install the final implant and establish persistence on the system. It obfuscates file paths and names with the objective to hinder analysis.

...distributed via rogue MSI installer files masquerading as legitimate software hosted on trusted platforms like GitLab.

To prevent multiple instances, the malware creates the mutex and exits if it already exists.

Recent analyses indicate the malware can detect and evade anti-fraud systems and sandbox environments.

Some of the supported commands include ... Simulating keyboard actions like DOWN, UP, and TAB for navigation Moving the cursor and simulating clicks | ...displaying images in full-screen mode ... and impersonating bank-themed dialogs via fake overlays to harvest credentials

Its capabilities include logging keystrokes, capturing screenshots, and collecting system metadata.

This channel is used to execute malicious tasks, including taking screenshots, monitoring keyboard and mouse input...

This channel is used to execute malicious tasks, including... injecting keystrokes or simulating mouse input...

The browser add-on then proceeds to gather system information, cookies, browsing history, installed extensions, and tab metadata...

Unlike BX RAT, it uses a custom title bar detection method to identify specific websites in a victim’s browser.

The malware collects system information, including OS version, processor architecture (32-bit, 64-bit, or unknown), username, and machine name.

Its capabilities include logging keystrokes, capturing screenshots, and collecting system metadata.

The browser add-on then proceeds to gather system information, cookies, browsing history, installed extensions, and tab metadata...

Recent analyses indicate the malware can detect and evade anti-fraud systems and sandbox environments.

Some of the supported commands include ... Simulating keyboard actions like DOWN, UP, and TAB for navigation Moving the cursor and simulating clicks | ...displaying images in full-screen mode ... and impersonating bank-themed dialogs via fake overlays to harvest credentials

Its capabilities include logging keystrokes, capturing screenshots, and collecting system metadata.

This channel is used to execute malicious tasks, including taking screenshots, monitoring keyboard and mouse input...

This channel is used to execute malicious tasks, including... injecting keystrokes or simulating mouse input...

Its capabilities include logging keystrokes, capturing screenshots, and collecting system metadata.

A significant amount of observed campaigns focus on stealing credentials for banking or other financial accounts, including use of banking trojans such as METAMORFO aka "Horabot," BBtok, and JanelaRAT.

It communicates with command-and-control servers to exfiltrate data, impersonates bank dialogs for credential harvesting, and monitors user activity to time malicious operations.

It triggers two subroutines responsible for periodic HTTP beaconing and downloading additional payloads.

Unlike other versions, this variant rotates its C2 server daily. Once a title bar matches the one in the list, the software dynamically constructs the C2 channel domain by concatenating an obfuscated string, the current date, and a suffix domain related to a legitimate dynamic DNS (DDNS) service.

All JanelaRAT samples utilize encrypted strings for sending information to the C2 and obfuscating embedded data. The encryption algorithm remains consistent across campaigns, combining base64 encoding with Rijndael (AES).

It communicates with command-and-control servers to exfiltrate data, impersonates bank dialogs for credential harvesting, and monitors user activity to time malicious operations.

This channel is used to execute malicious tasks, including... forcing system shutdown.