ESET Research has been tracking a new banking Trojan that has targeted corporate users in Brazil since 2019 in many verticals affecting sectors such as engineering, healthcare, retail, manufacturing, finance, transportation, and government. This new threat, which we call Janeleiro, tries to fool its victims with pop-ups designed to look like the websites of some of the largest banks in Brazil. It is a very active Trojan, as evidenced by the fact that, in addition to controlling device windows, it can collect information, override the Google Chrome browser, take screenshots and keystrokes, detect mouse movement or hijack the clipboard to modify the bitcoin addresses and change them to those of the cybercriminals in real time.
Remember that a Trojan presents itself as legitimate software. But, by executing it, it allows the cyber attacker to take control of the infected device. If this is achieved, the victim’s personal information would be at permanent risk, the best we can deal with is keeping the operating system and antivirus updated and analyzing the USB devices that are going to be connected to the computers. And as seen in the case of Janeleiro, you have to pay attention to the websites you want to visit to avoid accessing fraudulent pages.
While Janeleiro follows the same model as other malware families that ESET has documented in the region for the core implementation of its fake pop-ups, it distinguishes itself from those malware families in several ways:
▸It is written in Visual Basic .NET
The curious case of Brazil is that generally the banking Trojans that target users from this country are developed in Delphi, the programming language chosen by various threat actors that apparently work together sharing tools and infrastructure. Janeleiro’s preference for VB.NET is a notable departure from what appears to be the norm for the region.
▸No binary obfuscation
While this threat uses mild obfuscation by generating random names for its classes, modules, method names, parameters, and string encryption, it does not use wrappers to make detection and analysis difficult. Other Trojans such as Grandoreiro, Mekotio, Ousaban, Vadokrist, and Guildma make heavy use of Themida and binary-filling techniques.
▸No custom encryption algorithms
The developers of this threat rely on the cryptographic functions provided by the .NET Framework, as well as open source projects for the encryption / decryption of strings, with a preference for the AES and RSA algorithms. Trojans such as Casbaneiro, Grandoreiro, Amavaldo, Mispadu, and Guildma, among others, use custom encryption algorithms, including obfuscation techniques using string tables.
▸Simple execution method
The MSI installer does not implement other components in addition to the Trojan’s main DLL, nor does it execute instructions other than loading and executing one of the exports of the DLL that it installs on the system. We have not found samples of an MSI installer running obfuscated scripts, unpacking tools, or components for DLL side loading, which is popular with other malware families targeting the region.
▸Use code from NjRAT
Janeleiro is far from being another incarnation of the well-known NjRAT, but it uses NjRAT’s SocketClient and Remote Desktop capture functions, as well as other functions.
See also:
Alien – New Mobile Banking Malware
Emotet – banking malware fear of many companies
[…] also:Janeleiro is a threat to personal and banking dataBlack Box – An attack targeting […]