JanelaRAT Targets Latin American Financial Institutions, Harvesting Banking and Crypto Data
What Happened — JanelaRAT, a BX‑RAT‑derived remote‑access Trojan, has been delivering multi‑stage payloads to users in Latin America through phishing emails that masquerade as pending invoices. The chain culminates in a sideloaded DLL that steals banking credentials, transaction records, and cryptocurrency wallet information.
Why It Matters for TPRM —
- Financial‑service vendors in the region are being weaponized as data exfiltration platforms.
- The evolving infection chain (PDF → malicious link → compressed archive → MSI → DLL sideload) evades many traditional email‑gateway controls.
- Compromise of a single third‑party financial system can expose downstream customers’ payment data.
Who Is Affected — Banks, credit unions, fintech platforms, and cryptocurrency exchanges operating in or serving Latin America.
Recommended Actions —
- Review all third‑party financial service contracts for security clauses covering phishing‑resistant authentication.
- Enforce DMARC, SPF, and DKIM on inbound mail; block executable and MSI attachments from unknown senders.
- Deploy endpoint detection that can detect DLL sideloading and anomalous ActiveX activity.
- Conduct threat‑intel‑driven phishing simulations focused on invoice‑type lures.
Technical Notes —
- Attack vector: Phishing email with malicious PDF link → VBS/XML/BAT → compressed archive → MSI dropper → DLL sideload.
- Persistence: MSI creates hidden ActiveX objects and writes obfuscated files to the system.
- Data exfiltrated: Banking login credentials, transaction logs, cryptocurrency wallet addresses and private keys.
- Detection signatures: Kaspersky flags as Trojan.Script.Generic and Backdoor.MSIL.Agent.gen.
Source: SecureList – JanelaRAT: a financial threat targeting users in Latin America