Information of a new Banking Trojan that aims at corporate users in Brazil has been reported by security researchers on Tuesday. The new threat, known under the name of “Janeleiro” has been in the wild at least since 2019 and targets different industries, including engineering, retail, healthcare, manufacturing, finance, transportation, and government.
The malware seeks to mask its true purpose by means of pop-up windows built in such a way that they perfectly mimic the websites of several of the country’s major banks, such as Itaú Unibanco, Santander, Banco do Brasil, Caixa Econômica Federal, and Banco Bradesco.
The craftily designed pop-ups include fake forms that prompt the victims to enter their personal information and banking credentials. Once this is done, the malware collects the entered data and sends it to its command-and-control servers.
Researchers that are studying Janeleiro’s modus operandi reveal that its attack begins with a phishing email that pretends to be an unpaid invoice. The malicious email contains also a web link that downloads a ZIP file on the computer immediately after being clicked on. That ZIP file contains an MSI installer that deploys the Trojan’s DLL. The DLL file, in turn, fetches the IP addresses of the command-and-control (C2) servers. After this is done, of course, without the knowledge of the victim, the next thing the malware does is to wait for commands from the server.
Whenever a customer enters the banking company’s website, Janeleiro links to the C2 server and shows a bogus pop-up window that captures keystrokes and other details inserted in the fake form.
A lot of banking Trojans rely on this tactic to lure as many victims as possible. However, Janeleiro has a few features that make it stand out from the rest of the threats of its kind. One of the things is that this malware is written in Visual Basic .NET, which according to researchers is not a coding language of choice for the majority of threat actors who mostly rely on Delphi programming. Another unique feature of Janeleiro is the fact that it does not rely on custom algorithms for encryption. It also does not use additional layers of obfuscation.