Meet Janeleiro: a new banking Trojan striking company, government targets

[mood]

Meet Janeleiro: a new banking Trojan striking company, government targets

The .NET Trojan’s developers don’t seem to care about staying undetected.

 

A banking Trojan striking corporate targets across Brazil has been unmasked by researchers. 

 

 

On Tuesday, ESET published an advisory on the malware, which has been in development since 2018.

 

Dubbed Janeleiro, the Trojan appears to be focused on Brazil as a hunting ground and has been used in cyberattacks against corporate players in sectors including healthcare, engineering, retail, finance, and manufacturing. Operators have also attempted to use the malware when infiltrating government systems. 

 

According to the researchers, the Trojan is similar to others currently operating across the country -- such as Casbaneiro, Grandoreiro, and Mekotio -- but is the first detected that is written in .NET, rather than Delphi, which is usually favored. 

Phishing emails, sent in small batches, are sent to corporate targets pretending to relate to unpaid invoices. These messages contain links to compromised servers and to the download of a .zip archive hosted in the cloud. If the victim unzips this archive file, a Windows-based MSI installer then loads the main Trojan DLL. 

"In some cases, these URLs have distributed both Janeleiro and other Delphi bankers at different times," ESET says. "This suggests that either the various criminal groups share the same provider for sending spam emails and for hosting their malware, or that they are the same group. We have not yet determined which hypothesis is correct."

 

The Trojan will first check the geolocation of the target system's IP address. If the country code is other than Brazil, the malware will exit. However, if the check is passed, the malware will then collect a variety of operating system data and will grab the address of its command-and-control (C2) server from a dedicated GitHub page.  

 

Janeleiro is used to create fake pop-up windows "on-demand," such as when banking-related keywords are detected on a compromised machine. These pop-ups are designed to appear to be from some of the largest banks across Brazil and they request the input of sensitive and banking details from victims. 

 

The malware's command list includes options for controlling windows, killing existing browser sessions -- such as those launched in Google Chrome -- capturing screens, keylogging, and hijacking clipboard data, among other functions. 

The operator of the Trojan appears to prefer a hands-on approach and may control the windows remotely, in real-time. 

 

 

Most malware operators at least make a token attempt to conceal their activities. In this case, code obfuscation is light but there is no attempt to circumvent existing security software and no custom encryption.

 

The operator uses GitHub, a code repository, to host files containing C2 server lists to manage Trojan infections. These repositories are updated on a daily basis. 

 

As of March, four variants of Janeleiro have been detected in the wild, although two share the same internal version number. Some samples have been packaged together with a password stealer in attacks, which suggests "the group behind Janeleiro has other tools in their arsenal," according to the team.

 

ESET says that GitHub has been made aware of the threat actor's account and abuse of the platform. The page has now been disabled and the owner suspended.

"GitHub values the contributions of our security research community and is committed to investigating reported security issues," a GitHub spokesperson told ZDNet. "We disabled the page in accordance with our Acceptable Use Policies, following the report that it was using our platform maliciously."

 

 

Source: Meet Janeleiro: a new banking Trojan striking company, government targets

[aum]

 

Researchers on Tuesday revealed details of a new banking trojan targeting corporate users in Brazil at least since 2019 across various sectors such as engineering, healthcare, retail, manufacturing, finance, transportation, and government.

 

Dubbed "Janeleiro" by Slovak cybersecurity firm ESET, the malware aims to disguise its true intent via lookalike pop-up windows that are designed to resemble the websites of some of the biggest banks in the country, including Itaú Unibanco, Santander, Banco do Brasil, Caixa Econômica Federal, and Banco Bradesco.

 

"These pop-ups contain fake forms, aiming to trick the malware's victims into entering their banking credentials and personal information that the malware captures and exfiltrates to its [command-and-control] servers," ESET researchers Facundo Muñoz and Matías Porolli said in a write-up.

 

This modus operandi is not new to banking trojans. In August 2020, ESET uncovered a Latin American (LATAM) banking trojan called Mekotio that displayed similar fake pop-up windows to its victims in an attempt to entice them into divulging sensitive information.

 

But Janeleiro stands out for a number of reasons. One, the malware is written in Visual Basic .NET, which the researchers say is a "big deviation" from the Delphi programming language that's usually preferred by the threat actors in the region. It also doesn't rely on custom encryption algorithms or additional layers of obfuscation and even reuses code taken from NjRAT, a rarity among LATAM banking trojans.

 

 

The attack commences with a phishing email that purports to be an unpaid invoice, which contains a link that, when clicked, downloads a ZIP file. The archive comes with an MSI installer that loads the main trojan DLL, which subsequently fetches the IP addresses of the command-and-control (C2) servers from a GitHub page apparently created by the malware authors. The last link in the infection chain involves waiting for commands from the C2 server.

 

Thus in the event, a user visits the website of a banking entity of interest, Janeleiro connects to the C2 server and dynamically displays the fraudulent pop-up windows, and captures the keystrokes and other information entered in the fake forms.

 

ESET said it discovered four versions of Janeleiro between September 2019 to March 2021.

 

This is not the first time banking trojans have been spotted in the wild that have singled out Brazilian users. Last year, Kaspersky detailed at least four malware families — Guildma, Javali, Melcoz, and Grandoreiro — which were found to target financial institutions in Brazil, Latin America, and Europe.

 

Then earlier this January, ESET revealed a new Delphi-based banking trojan named "Vadokrist" that was found to target Brazil exclusively while sharing similarities with other malware families like Amavaldo, Casbaneiro, Grandoreiro, and Mekotio.

 

"Janeleiro follows the unique blueprint for the core implementation of the fake pop-up windows as many LATAM banking trojans, this does not seem to be a coincidence or inspiration: this actor employs and distributes Janeleiro sharing the same infrastructure as some of the most prominent of these active malware families," the researchers concluded.

 

Source

[Karlston]

Similar topics merged.