Researchers on Tuesday revealed details of a new banking trojan targeting corporate users in Brazil at least since 2019 across various sectors such as engineering, healthcare, retail, manufacturing, finance, transportation, and government.
Dubbed “Janeleiro” by Slovak cybersecurity firm ESET, the malware aims to disguise its true intent via lookalike pop-up windows that are designed to resemble the websites of some of the biggest banks in the country, including Itaú Unibanco, Santander, Banco do Brasil, Caixa Econômica Federal, and Banco Bradesco.
“These pop-ups contain fake forms, aiming to trick the malware’s victims into entering their banking credentials and personal information that the malware captures and exfiltrates to its [command-and-control] servers,” ESET researchers Facundo Muñoz and Matías Porolli said in a write-up.
This modus operandi is not new to banking trojans. In August 2020, ESET uncovered a Latin American (LATAM) banking trojan called Mekotio that displayed similar fake pop-up windows to its victims in an attempt to entice them into divulging sensitive information.
But Janeleiro stands out for a number of reasons. One, the malware is written in Visual Basic .NET, which the researchers say is a “big deviation” from the Delphi programming language that’s usually preferred by the threat actors in the region. It also doesn’t rely on custom encryption algorithms or additional layers of obfuscation and even reuses code taken from NjRAT, a rarity among LATAM banking trojans.
The attack commences with a phishing email that purports to be an unpaid invoice, which contains a link that, when clicked, downloads a ZIP file. The archive comes with an MSI installer that loads the main trojan DLL, which subsequently fetches the IP addresses of the command-and-control (C2) servers from a GitHub page apparently created by the malware authors. The last link in the infection chain involves waiting for commands from the C2 server.
Thus in the event, a user visits the website of a banking entity of interest, Janeleiro connects to the C2 server and dynamically displays the fraudulent pop-up windows, and captures the keystrokes and other information entered in the fake forms.
ESET said it discovered four versions of Janeleiro between September 2019 to March 2021.
This is not the first time banking trojans have been spotted in the wild that have singled out Brazilian users. Last year, Kaspersky detailed at least four malware families — Guildma, Javali, Melcoz, and Grandoreiro — which were found to target financial institutions in Brazil, Latin America, and Europe.
Then earlier this January, ESET revealed a new Delphi-based banking trojan named “Vadokrist” that was found to target Brazil exclusively while sharing similarities with other malware families like Amavaldo, Casbaneiro, Grandoreiro, and Mekotio.
“Janeleiro follows the unique blueprint for the core implementation of the fake pop-up windows as many LATAM banking trojans, this does not seem to be a coincidence or inspiration: this actor employs and distributes Janeleiro sharing the same infrastructure as some of the most prominent of these active malware families,” the researchers concluded.