Janela RAT Malware Steals Financial Data via Browser Extensions

Janela RAT Campaign Targets Latin American Financial Sectors

A wave of attacks is sweeping across Latin America, targeting the financial sectors of countries such as Chile, Colombia, and Mexico.

Sophisticated Infection Chains and Browser Abuse

• The campaign, attributed to the Janela RAT malware, utilizes sophisticated infection chains and browser abuse to steal sensitive financial data.
• The malware, a modified version of the BX RAT, has been observed since mid-2023 and appears to be particularly active in the region.

Attack Methodology

The attackers spread the malware through malicious MSI files hosted on public GitLab repositories. These files pose as legitimate software from trusted platforms, making it challenging for victims to distinguish them from genuine installers.

Key Features of the Malware

• The malware can dynamically change its command-and-control servers, using a config.json file to store domain and repository lists encoded in base64 format.
• The malware scans for installed Chromium-based browsers, such as Chrome and Edge, and modifies their launch parameters to load the malicious extension without the user’s knowledge.
• The extension sets up a native messaging host and employs a function called “CollectRefresh” to gather system details, cookies, browsing history, installed extensions, and information about open tabs.

Indicators of Compromise

• KPMG provides several indicators of compromise, including domains, IP addresses, and SHA-256 file hashes, which can aid in detecting and mitigating the threat.

Recommendations for Protection

• Experts recommend that organizations take immediate action to protect themselves from this threat.
• They advise scanning environments for the provided indicators using EDR tools, fully patching Windows systems, and enforcing multi-factor authentication across environments.

About Author

Anuj

See author's posts