JanelaRAT: Trojan Disguises as Updates to Steal Financial Data
Financial trojans are evolving, utilizing fake system updates to intercept bank card data. The JanelaRAT family targets users in Latin America, tracking browser sessions and blocking interfaces under the guise of legitimate processes.
Distribution and Installation Mechanism
Infection occurs via phishing emails mimicking debt notifications. Links direct users to sites hosting archives containing MSI installers. These files deploy malware, masquerading it as Windows system components.
- Autostart: Added to the registry to launch upon OS boot.
- Obfuscation: Code encrypted using tools designed to evade antivirus software.
- System Masking: Creation of files with neutral names and library loading.
After installation, the trojan analyzes the environment: determines access rights, collects system data, and establishes contact with C2 servers over port 443 without TLS.
Surveillance and Attack Functions
JanelaRAT monitors active browser windows, reacting to financial websites. The name reflects a focus on the Portuguese word "janela" (window), highlighting its method of detecting targets.
The program interferes with sessions:
- Capturing keystrokes.
- Taking screenshots.
- Simulating mouse movements.
- Blocking the system via forced shutdown.
A key element is fullscreen overlays mimicking bank interfaces or OS updates. These force users to enter credentials, tokens, and 2FA codes.
Geography and Threat Statistics
Attacks are concentrated in Brazil and Mexico. In 2025, over 14,000 incidents were recorded in Brazil and approximately 12,000 in Mexico. The trojan adapts to local banks, with regular updates to the target list.
C2 infrastructure is dynamic: servers change daily, and traffic is masked as HTTPS.
Threat Context and Consequences
Financial trojans like JanelaRAT reflect a trend of simplifying infection while complicating the payload. This increases attack success rates by 20–30% compared to earlier versions like BX RAT, thanks to autonomous window analysis.
Reasons for Success:
- Growth of phishing in regions with high mobile banking penetration.
- Lack of awareness regarding fake updates.
- Adaptation to regional payment systems.
Consequences for the Industry:
Losses from data theft exceed billions of dollars annually in Latin America. Banks are strengthening multi-factor authentication and behavioral analysis, but users remain the weak link. Regulators are introducing traffic monitoring requirements, stimulating the development of AI detectors.
General context: In 2025, Latin America leads in financial fraud among emerging markets, with trojans accounting for 40% of cyber incidents.
Key Takeaways
- JanelaRAT combines stealthy window monitoring with real-time session interference.
- MSI installers simplify the infection chain, increasing attack conversion.
- Dynamic C2 servers complicate infrastructure blocking.
- Primary victims are clients of Brazilian and Mexican banks.
- Evolution from BX RAT has enhanced targeting precision.
— Editorial Team
No comments yet.