A fresh wave of Janela RAT attacks is targeting Latin American financial sectors through fake MSI installers and malicious browser extensions designed to steal sensitive data. The remote access trojan, first spotted in mid-2023, appears to be a modified version of BX RAT and is being deployed against banking, fintech and cryptocurrency users, mainly in Chile, Colombia and Mexico.
Malware Masquerades as Trusted Software
The campaign spreads through malicious MSI files hosted on public GitLab repositories, where the files pose as legitimate software from trusted platforms. Once executed, the installer begins a multi-stage infection chain driven by scripts in Go, PowerShell and batch files.
These components unpack a ZIP archive containing the RAT executable, a rogue Chromium-based browser extension and supporting tools. A batch or PowerShell script then crafts commands to launch the RAT with a fixed filename, while a Go-based unpacker handles a password-protected ZIP file.
The malware also decodes base64-encoded command-and-control domains and repository lists before placing them into a config.json file. This arrangement allows it to shift its command-and-control servers dynamically.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
Browser Abuse and Stealth Tactics Raise Alarm
The infection chain scans for installed Chromium-based browsers such as Chrome and Edge and alters launch parameters to load the malicious extension without the user noticing. The extension sets up a native messaging host and uses a function called “CollectRefresh” to gather system details, cookies, browsing history, installed extensions and information about open tabs.
It also triggers RAT actions when it detects specific URL patterns, including banking sites. Janela RAT then opens encrypted WebSocket links to base64-hidden domains, rotates command-and-control servers on the fly, remains dormant when idle and uses obfuscated binaries to evade antivirus scans.
Security firm KPMG, in a recent alert marked TLP: Clear, highlighted the sophistication of the campaign. It said the malware is focused on financial data and urged organisations to watch for anomalies.
Indicators Released as Defenders Urged to Act Quickly
The alert listed several key indicators of compromise for rapid detection, including domains such as w5lw.worldassitencia[.]com, team000analytics.safepurelink[.]com and bulder.wordsuporttsk[.]com. It also identified IP addresses including 191.96.79[.]24, 191.96.224[.]215, 189.89.15[.]37, 192.99.169[.]240, 102.165.46[.]28 and a partial address beginning 167.88.1[.]xx.
Select SHA-256 file hashes were also published, including 6550ea36af6d367e39b948835738f76d, e7a6f1889744468d72b8644529a6cbac and e2bf84693ebc12624d9be3f384b4e509, with a note that a full list is available in KPMG’s report.
Experts advised organisations to scan environments for these indicators using EDR tools, fully patch Windows systems and enforce multi-factor authentication across environments. They also recommended full threat assessments to identify weaknesses, along with machine-readable threat intelligence feeds in STIX, TAXII or MISP formats for real-time defence. Services such as preemptive threat hunting and incident response were cited as useful measures.
