BX RAT

JanelaRAT is a Latin America-focused financial malware family and remote access trojan widely described as a modified variant of BX RAT, active since June 2023. It targets financial and cryptocurrency data, including users of banks, fintech firms, and cryptocurrency platforms, with reporting specifically citing Brazil, Mexico, Chile, and Colombia. The malware is associated with financially motivated operators and has been assessed as a significant threat to regional financial infrastructure.

Across reported campaigns, JanelaRAT uses multi-stage infection chains that include phishing lures such as fake invoice deliveries, malicious websites, fake MSI installers, public GitLab-hosted payloads, compressed archives, scripts, and DLL sideloading. Reported components include Go, PowerShell, batch scripts, VBScript, XML, ZIP archives, and MSI droppers. In one described chain, a legitimate executable such as nevasca.exe sideloads a malicious DLL, PixelPaint.dll, which is the JanelaRAT payload. Persistence has been established via Startup-folder shortcuts or command scripts in the Windows Startup directory.

A defining behavioral difference from BX RAT is JanelaRAT’s custom title bar or active window title detection used to identify targeted banking or cryptocurrency websites open in the victim’s browser. It monitors browser or window titles against hardcoded targeted institutions and can delay before opening a dedicated C2 channel when a match occurs. Reported capabilities include collection of system information, browser cookies, saved credentials, browsing history, installed extensions, open tab data, screenshot capture, cropped image theft, keylogging, keyboard injection, mouse simulation, message display, forced shutdown, command execution, anti-fraud software detection, anti-analysis checks, and live banking session hijacking. It also uses overlay windows and decoy banking dialogs or fake Windows update screens to steal credentials and MFA tokens while suppressing user interaction.

Browser-focused tradecraft includes scanning for Chromium-based browsers, modifying browser startup settings to silently load a malicious extension, and registering that extension as a native messaging host. The extension reportedly gathers cookies, credentials, browsing history, system details, installed extensions, and open tab information, enabling account takeover and monitoring of financial activity.

For command and control, JanelaRAT has been reported using encrypted WebSocket communications, TCP sockets, and periodic HTTP beaconing. It uses obfuscated or base64-encoded domains and strings, AES/Rijndael-encrypted strings, dynamic or daily-rotating C2 infrastructure, and idle-time stealth to evade detection. Some traffic uses port 443 without TLS. Anti-analysis behavior includes checks involving Magnifier and MagnifierWindow components. Reported detections include Trojan.Script.Generic and Backdoor.MSIL.Agent.gen.

High-confidence indicators mentioned in the content include the domain ciderurginsx.com and the MD5 hashes 808c87015194c51d74356854dfb10d9e and d7a68749635604d6d7297e4fa2530eb6.