Janela RAT is a repurposed variant of BX RAT, targeting Latin America fintech sectors with multi-stage infection involving GitLab-hosted MSI installers and a malicious Chromium browser extension for data theft. The malware uses obfuscated GoLang and .NET binaries to load payloads, execute commands, and communicate with C2 servers via WebSocket, employing a sophisticated multi-file infection chain and configuration system. #JanelaRAT #BXRAT #GitLab #ChromiumExtension #LATAMFintech
Keypoints
- Janela RAT is identified as a variant of BX RAT, observed targeting Latin American fintech organizations.
- The infection chain starts with MSI installers hosted on multiple GitLab repositories containing several scripts and a zipped payload.
- The payload includes a GoLang binary ‘LPrKz6y2fG.exe’ which contains a password-protected zip file housing a browser extension and the Janela RAT executable.
- The malicious Chromium browser extension steals data, captures screenshots, executes native commands, and collects browser data such as cookies and history.
- The RAT communicates with its command and control (C2) servers using WebSocket connections with base64 encoded URLs retrieved from GitLab files.
- Janela RAT binaries are obfuscated using the free version of Eziriz .NET Reactor, with known deobfuscation methods publicly available.
- Indicators of compromise include specific GitLab URLs, domains such as w51w.worldassitencia[.]com, and multiple file hashes of MSI installers and malware components.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Used scripts like DOS batch and PowerShell to control execution flow and payload deployment (‘the script for setting up the custom browser extension… reliance on other scripts’).
- [T1105] Ingress Tool Transfer – Downloads payload components from GitLab repositories (‘MSI deliveries from gitlab accounts… containing multiple files’).
- [T1176] Browser Extensions – Installs a malicious Chromium-based browser extension to steal data and execute commands (‘Ultimately looks for Chromium based browsers to add parameters to load the extension’).
- [T1041] Exfiltration Over C2 Channel – Uses WebSocket connections to send stolen data and receive commands from C2 servers (‘C2 communications over websocket, commands issued from the C2 websocket’).
- [T1027] Obfuscated Files or Information – Janela RAT binary is obfuscated using .NET Reactor (‘The Janela RAT binary itself is obfuscated with the free version of Eziriz .NET reactor’).
Indicators of Compromise
- [IP/Domain] Known C2 domains – w51w.worldassitencia[.]com, team000analytics.safepurelink.com
- [File Hash] Installer MSI file hash – 907cff1b76b2e2e44fa6bb41e6b0502733592fee7c18bb9873b9ae2b88bf941c
- [File Hash] Additional malware file hashes – da6b97b245c65193eb231de0314508759a69db35a8f76afc66b4757702a231d024, 666ba2708be3fc6a208d1e961af343a8105959fa87bfd3322a36d6c4e57d11226 (and multiple others)
- [File Name/Path] Executables and scripts – LPrKz6y2fG.exe, BF32FB64-1EF9-4ABF-8806-8B182B7929D4.exe, %TEMP%start_process.ps1, C:UsersPublicDocumentsLPrKz6y2fG3a5OxUe6
- [URL] GitLab URLs hosting payload and configuration files – https://gitlab.com/mariogadu896/a5da3e9493a2b6993af982874c4a53f5/-/raw/main/_61b10e601b06.msi, https://gitlab.com/mario1950ams341/rootkit_1206/-/raw/main/file1.csv (and others)