JanelaRAT Malware Campaign Targets Latin American Financial Sector

Executive Summary

A malware campaign utilizing a modified version of the BX RAT, now tracked as JanelaRAT, has executed over 14,000 attacks against financial institutions in Latin America, primarily in Brazil. The malware is designed to steal sensitive financial and cryptocurrency data, log keystrokes, capture screenshots, and exfiltrate system information. The campaign's focus on specific regional banks and its high volume of attacks indicate a targeted, financially motivated operation.

Technical Analysis

JanelaRAT is a remote access trojan (RAT) based on the open-source BX RAT. The malware functions as a data stealer and surveillance tool. According to analysis, its capabilities include logging keystrokes, tracking mouse inputs, capturing screenshots, and harvesting system metadata such as computer name, operating system details, and IP address. A primary function is to search for and exfiltrate data related to specific financial entities and cryptocurrency wallets. The malware's command-and-control (C2) infrastructure is configured to receive this stolen data. The source report indicates the malware was delivered via malicious email attachments, though the exact initial infection vector and any exploited vulnerabilities remain unspecified. No specific CVE IDs are associated with this campaign at this time.

Tactics, Techniques & Procedures

The threat actors behind the JanelaRAT campaign employ techniques consistent with financially motivated cybercrime. Based on the source material, the primary Initial Access vector is believed to be phishing emails containing malicious attachments. Once executed, the malware establishes Persistence and begins Collection activities (T1557), including keylogging (T1056.001) and screen capture (T1113). It specifically Searches victim systems for files and data related to targeted financial institutions (T1083, T1555). Collected data is then Exfiltrated to actor-controlled C2 servers (T1041). The malware's modification from a known RAT framework suggests Development of Capabilities (T1587) and possible Obfuscated Files or Information (T1027) to evade detection.

Threat Actor Context

The source material does not attribute the JanelaRAT campaign to a named threat actor or group. The operational focus—targeting specific banks and financial services in Latin America with a high volume of attacks—strongly suggests a financially motivated cybercriminal operation, potentially based in or focusing on the region. The reuse and modification of the BX RAT framework indicate actors with moderate technical skill, leveraging existing tools for efficiency. There is no evidence linking this activity to state-sponsored groups at this time.

Mitigations & Recommendations

Organizations, particularly in the Latin American financial sector, should implement defensive measures tailored to the observed TTPs. Users should be trained to identify and report phishing attempts, with strict policies against opening unexpected email attachments. Endpoint Detection and Response (EDR) solutions should be deployed and tuned to detect behaviors associated with RATs and data stealers, such as keystroke logging, screenshot capture, and suspicious outbound connections to unknown IP addresses. Application allowlisting can prevent the execution of unauthorized binaries like JanelaRAT. Network monitoring for data exfiltration to unfamiliar external destinations is also recommended. As no specific vulnerability is cited, patch management, while always critical, should be complemented by these behavior-focused controls.