Keypoints
- Infection chain begins with obfuscated VBScript inside ZIP archives that download a base64-encoded second-stage ZIP and drop a BAT for persistence.
- JanelaRAT is delivered as a .NET DLL (C#) protected with Eazobfuscator and is executed via DLL side-loading by renamed legitimate executables (e.g., vmnat.exe, identity_helper.exe).
- Strings and C2 configuration are AES (Rijndael CBC) + Base64 encoded with a fixed MD5-derived key (MD5(“8521”)); a provided Python script can decrypt them.
- C2 uses 32 rotated domains (dynamic DNS abuse) selected by day-of-month; the daily port is fetched from an encrypted 16Psyche.txt and the implant opens a socket-based custom protocol (RC4+LZ4-like compression) for commands and exfiltration.
- Core capabilities include window-title harvesting (kepler186f.txt list), blocking/closing targeted windows (block.blq), keystroke/mouse logging and synthesis, screenshots, remote actions (shutdown, suspend, run scripts), and remote desktop features.
- Self-defense includes idle behavior (checks GetLastInputInfo and goes idle if >10 minutes), string encryption, and obfuscation to evade sandbox and detection.
- Extensive IOCs published: numerous MD5 hashes for stages/VBScript/DLLs, download URLs and C2 domains/IPs, and filenames such as fi.ini, kepler186f.txt, block.blq, and 16Psyche.txt.
MITRE Techniques
- [T1587.001] Develop Capabilities: Malware – JanelaRAT is a repurposed BX RAT with added features and modifications (‘The attacker repurposed a known malware (BX RAT) to generate a new malware (JanelaRAT) and added a new set of features.’)
- [T1608.001] Stage Capabilities: Upload Malware – Compressed archives containing JanelaRAT were staged on attacker infrastructure (‘The attacker staged compressed archives containing samples of JanelaRAT on the infrastructure.’)
- [T1059.005] Command and Scripting Interpreter: Visual Basic – Initial downloader is an obfuscated VBScript that fetches and decodes base64 ZIP archives (‘The attack chain includes the execution of a VBScript responsible for installing JanelaRAT.’)
- [T1059] Command and Scripting Interpreter – Batch script is used to set up persistence and trigger side-loading (‘The attack chain includes the execution of a batch script responsible for setting up persistence for JanelaRAT.’)
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence via RunKey pointing to the renamed legitimate executable (‘Persistence is achieved by setting a RunKey.’)
- [T1574.002] Hijack Execution Flow: DLL Side-Loading – JanelaRAT is delivered as a DLL loaded by legitimate executables (e.g., VCRUNTIME140.dll via vmnat.exe) to evade detection (‘JanelaRAT is side-loaded by a legitimate executable delivered by the threat attacker on the infected system.’)
- [T1027.002] Obfuscated Files or Information: Software Packing – JanelaRAT assemblies are protected with Eazobfuscator commercial packer (‘JanelaRAT is protected with a commercial packer called Eazobfuscator.’)
- [T1140] Deobfuscate/Decode Files or Information – Strings and payloads are Base64 encoded and AES-encrypted and require decryption (‘JanelaRAT strings are stored and encrypted with AES and encoded in Base64.’)
- [T1497.003] Virtualization/Sandbox Evasion: Time Based Evasion – Malware checks last input and goes idle if inactive >10 minutes (‘JanelaRAT goes idle if the last input event occurred more than 10 minutes before the check.’)
- [T1132.001] Data Encoding: Standard Encoding – Uses Base64 encoding for staged payloads and some transmitted data (‘JanelaRAT encodes information transmitted to the C2 in Base64.’)
- [T1573.001] Encrypted Channel: Symmetric Cryptography – C2 communications and packets use AES (and RC4-like) encryption (‘JanelaRAT encrypts information transmitted to the C2 using AES.’)
- [T1095] Non-Application Layer Protocol – C2 implemented as a socket connection to resolved C2 IP/port (port fetched from 16Psyche.txt) (‘JanelaRAT establishes a socket-based C2 channel.’)
- [T1041] Exfiltration Over C2 Channel – Screenshots, window titles, keystrokes, mouse events and host profiles are sent over the C2 channel (‘JanelaRAT ships screenshots of the compromised system via the C2 channel.’)
Indicators of Compromise
- [File Hash – VBScript] VBScript downloader examples – 24c6bff8ebfd532f91ebe06dc13637cb, 51268b9681df47022c44af43f9d57255, and other VBS MD5s published
- [File Hash – Staged archives] MD5s of Stage 1/2 archives – 526a0b2d142567d8078e24ab0758fad7, 897e8483b673db70fdc5d3d111600cac, and 40+ other archive hashes
- [File Hash – JanelaRAT DLLs] JanelaRAT DLL MD5 examples – 999a9af2cd20a8c4bcf652e3523aafa3, 8b83e6b2d891cdf9250e9afd17081eab, and additional DLL hashes
- [Domains / Download URLs] Stage 2 download and C2 examples – http://zimbawhite.is-certified.com:3001/clientes/[1-44], cnt-blackrock.geekgalaxy.com
- [IP Addresses] C2 / hosting IP examples – 45.42.160.55, 191.96.224.215 (and other listed C2 IPs)
- [File Names] Payload and config filenames used by the malware – fi.ini, kepler186f.txt, block.blq, 16Psyche.txt (used for persistence checks, window-title lists, block lists, and port retrieval)
JanelaRAT technical procedure (focused, three paragraphs):
JanelaRAT is deployed via a multi-stage chain initiated by obfuscated VBScript delivered inside ZIP archives. The VBScript (example MD5 24c6bff8ebfd532f…) decodes base64 content fetched from a staged URL (http://zimbawhite.is-certified.com:3001/clientes/[1-44]) into a second ZIP, drops a BAT file into C:UsersPublic, executes it, then reboots the host. The BAT establishes persistence by copying a legitimate executable and a malicious DLL to %AppData% and creating a RunKey (e.g., MicrosoftEdgeAutoLaunch_) that points to the renamed executable; executing that binary triggers DLL side-loading of the JanelaRAT .NET assembly (examples: VCRUNTIME140.dll side-loaded by vmnat.exe, msedge_elf.dll by identity_helper.exe).
The JanelaRAT DLL is a .NET 4.0 assembly protected with Eazobfuscator; strings and configuration (including a 32-entry C2 domain array) are stored as Base64-encoded AES-CBC blobs whose key derives from MD5(“8521”). A provided Python decryptor demonstrates the decryption process: Base64 decode → IV = first 16 bytes → AES-CBC decrypt → strip header. The implant selects a daily C2 domain by day-of-month, resolves it, fetches an encrypted port from 16Psyche.txt, then opens a raw socket to that IP:port. Packets are serialized, encrypted with an RC4-like routine using key 8521, compressed (LZ4-like), and sent over this custom protocol. The C2 check-in uses a GET to cnt-blackrock.geekgalaxy[.]com with specific parameters (op, us, nm, vs) and a hardcoded User-Agent “VisaoAPP.”
Operational capabilities focus on financial reconnaissance and stealthy control: every second JanelaRAT normalizes foreground window titles and checks them against a remotely provided kepler186f.txt (pipe-separated list of interesting titles). If matched, it opens the socket C2 to alert operators and supports remote keystroke/mouse capture and synthesis, screenshots (JPG/PNG controlled by Mode), remote desktop-like actions, and host profiling (OS, account role, machine name, IPs, uptime). The malware can also enforce local blocking by parsing block.blq (timestamp | base64 image | dash-separated blocked titles), closing matching windows via SendMessage(WM_CLOSE), and showing fake dialogs. Anti-analysis features include encrypted strings, Eazobfuscator packing, and a time-based sandbox evasion where the implant checks GetLastInputInfo and goes idle if no input occurred for over 10 minutes. Example utilities (Python scripts) for fetching all staged archives and decrypting strings are included in the appendix of the original report.