Banana RAT Malware Delivered via Fake Invoices Compromises Customers of 16 Brazilian Banks
What Happened – A campaign using counterfeit invoices and spoofed security‑update screens has been distributing the Banana RAT remote‑access trojan to customers of 16 major Brazilian banks. The malware harvests credentials and payment data, often leveraging QR‑code fraud to exfiltrate funds.
Why It Matters for TPRM –
- Third‑party banking portals are being weaponised, exposing your organisation’s employees and clients to credential theft.
- Successful QR‑fraud can result in direct financial loss and reputational damage for any business that processes payments through the affected banks.
- The attack demonstrates how supply‑chain‑adjacent vectors (invoices, update prompts) can bypass traditional perimeter controls.
Who Is Affected – Financial Services (retail banking), customers of the 16 Brazilian banks, and any third‑party vendors that integrate with those banking APIs or payment flows.
Recommended Actions –
- Review contracts and security questionnaires for any banking partners operating in Brazil.
- Enforce multi‑factor authentication for all banking‑related logins and educate users on verifying invoice authenticity.
- Deploy email and web‑gateway anti‑phishing controls that can detect malicious QR codes and fake update screens.
Technical Notes – The payload is the Banana RAT trojan, delivered via malicious Microsoft Office documents and HTML pages masquerading as security updates. Attackers embed QR codes that redirect victims to phishing sites that capture credentials. No public CVE is associated; the vector relies on social engineering rather than a software flaw. Source: HackRead