A sophisticated new cyberattack campaign is targeting financial institutions and cryptocurrency platforms across Latin America, leveraging a Remote Access Trojan (RAT) known as Janela RAT. Threat actors are employing deceptive MSI installers and malicious browser extensions as primary entry vectors to infiltrate systems and pilfer sensitive financial data from unsuspecting users. This emerging threat, identified by KPMG analysts, highlights an advanced multi-stage attack structure that poses a significant risk to the region’s burgeoning financial technology sector.
Janela RAT, believed to be a modified version of the older BX RAT, first surfaced in mid-2023. Researchers have observed its specific targeting of individuals and organizations in Chile, Colombia, and Mexico, with a clear focus on the banking, fintech, and cryptocurrency industries. The financially motivated attackers aim to illicitly obtain credentials and establish unauthorized access to user accounts, disrupting financial operations and compromising user trust.
Multi-Stage Infection and Browser Hijacking via Janela RAT
The infection process for Janela RAT commences when a user unknowingly executes a seemingly legitimate software installer packaged as an MSI file. These malicious installers are strategically hosted on public GitLab repositories, making them appear more trustworthy to potential victims. Upon execution, the installer initiates a complex chain of scripts, utilizing Go, PowerShell, and batch programming languages to establish a persistent presence and execute the attack.
A critical component of the Janela RAT campaign is its Go-based unpacker. This element is responsible for extracting a password-protected ZIP archive and decoding Base64-encoded Command and Control (C2) server details. This information is then stored in a `config.json` file, which the malware uses to communicate with its operators during the campaign. This layered approach to storing sensitive C2 information adds to the malware’s stealth capabilities.
Simultaneously, the scripts diligently scan the compromised system for any Chromium-based browsers. Without the user’s awareness, the malware quietly modifies the browser’s startup settings to silently load a malicious extension. This extension functions by registering itself as a native messaging host. It then utilizes a built-in function, `CollectRefresh`, to systematically gather a broad spectrum of sensitive user data. This includes detailed system information, browser cookies, browsing history, a list of installed extensions, and even information about currently open tabs.
Furthermore, the malicious browser extension actively monitors for specific URL patterns. When a match is detected, such as a login page for a banking or cryptocurrency service, it triggers further RAT functionalities. This dynamic monitoring and response mechanism allows the attackers to target specific financial activities in near real-time, increasing the likelihood of successful credential theft or account takeover.
To evade detection by standard security solutions, Janela RAT employs sophisticated encrypted WebSocket connections to its C2 servers. These connections are established using obfuscated, Base64-encoded domain names, making it challenging for security analysts to identify and block the communication channels. The malware is also designed to dynamically rotate its C2 addresses. Additionally, it enters a quiet state during idle periods, mimicking normal user behavior to avoid triggering behavioral-based security alarms. The combination of these advanced techniques allows the Janela RAT malware to remain undetected on infected systems for extended durations, enabling prolonged data exfiltration and reconnaissance.
The broader implications of this Janela RAT campaign extend beyond simple data theft. By gaining access to browser data, including harvested cookies and saved credentials, attackers can effectively bypass authentication mechanisms, seize control of financial accounts, and even monitor live financial transactions without the victim’s knowledge. For organizations operating within the banking, fintech, and cryptocurrency sectors, such deep-level infiltration represents a severe operational and reputational risk, potentially leading to significant financial losses and erosion of customer confidence.
Security teams are strongly advised to implement robust defense measures to mitigate the risks posed by this evolving threat. This includes diligently monitoring their environments for known Indicators of Compromise (IoCs), such as specific domains, IP addresses, and file hashes associated with this Janela RAT campaign. Furthermore, ensuring all Windows systems are consistently patched and protected with multi-factor authentication (MFA) is crucial. Organizations should also consider conducting comprehensive threat assessment exercises to identify and address any blind spots or security posture gaps that could be exploited by sophisticated malware like Janela RAT.
The ongoing evolution of the Janela RAT campaign suggests that threat actors will likely continue to refine their techniques for evasion and data exfiltration. Future developments will likely involve more sophisticated social engineering tactics to distribute the fake MSI installers and further obfuscation methods for their C2 communications. Cybersecurity professionals will need to remain vigilant and adapt their detection and response strategies to counter these persistent threats targeting the financial sector in Latin America.