Introduction
This how-to guide walks you through the infection chain of JanelaRAT, a malware family targeting financial and cryptocurrency data in Latin America. Named after the Portuguese word for “window,” JanelaRAT is a modified variant of BX RAT, first observed in June 2023. Understanding its multi-stage attack process can help cybersecurity professionals and organizations strengthen defenses. The guide covers each phase—from initial email receipt to final payload execution—and includes actionable tips for mitigation.
What You Need
- Basic knowledge of malware analysis and infection vectors
- Awareness of common phishing techniques
- Access to endpoint protection logs (optional, for simulation)
- Understanding of DLL sideloading and MSI installer behavior
- Familiarity with threat detection tools (e.g., Kaspersky, which detects JanelaRAT as Trojan.Script.Generic or Backdoor.MSIL.Agent.gen)
Step-by-Step Infection Chain
Step 1: Receiving the Phishing Email
The attack begins with fraudulent emails crafted to imitate legitimate invoice delivery notifications. The emails urge recipients to view a pending invoice by clicking an embedded link. This social engineering tactic preys on urgency and trust. The malicious link does not lead to a real invoice but to a compromised or threat-controlled website.
Step 2: Clicking the Malicious Link
Once the victim clicks the link, they are redirected to a malicious website that automatically initiates a download. This download is typically a compressed ZIP file containing various malicious components. The exact content can vary, but common elements include VBScripts, XML files, additional ZIP archives, and BAT files.
Step 3: Extracting and Executing the First-Stage Payload
The downloaded archive is extracted manually or by built-in script. The threat actors then rely on the user or an automated script to execute one of the included files (e.g., a VBScript). This script acts as a first-stage dropper that prepares the system for deeper infection. It often creates environment variable-based paths, sets up startup shortcuts, and stores a first-run indicator file to prevent multiple infections.
Step 4: Deploying Auxiliary Files and Persistence Mechanisms
After execution, the dropper may deploy auxiliary components such as configuration files. These files help the malware evade detection and tailor its behavior. The dropper also establishes persistence by adding entries to the Windows startup folder or registry. Over time, the threat actors have refined this stage—for example, by integrating MSI installer files in later campaigns to streamline the process.
Step 5: DLL Sideloading via Legitimate Executables
A critical step in recent JanelaRAT variants is DLL sideloading. The attacker includes a legitimate PE32 executable alongside a malicious DLL (the actual JanelaRAT payload). When the legitimate executable is launched, it unknowingly loads the malicious DLL because of a search order hijack. This technique masks the malware as a trusted process, bypassing some security solutions.
Step 6: JanelaRAT Final Payload Execution
Once sideloaded, the DLL executes JanelaRAT. This final payload is a Remote Access Trojan (RAT) that communicates with command-and-control (C2) servers. It uses a custom title bar detection mechanism to identify specific banking websites and cryptocurrency platforms in the victim’s browser. Upon detection, it can steal credentials, capture keystrokes, or inject malicious scripts to redirect financial transactions.
Step 7: Ongoing Evolution and Adaptation
The threat actors behind JanelaRAT continuously update the infection chain. Analysis shows they have reduced the number of installation steps over time, making the attack faster and harder to interrupt. They also modify auxiliary files and obfuscate file paths and names to hinder forensic analysis. Staying informed about these changes is vital for effective defense.
Tips for Mitigation
- Train users to recognize phishing emails—especially those urging invoice downloads from unknown senders.
- Deploy endpoint detection and response (EDR) tools that can spot unusual process behavior like DLL sideloading.
- Implement email filtering to block malicious links and attachments before they reach inboxes.
- Keep software updated and apply security patches to minimize exploit opportunities.
- Restrict the use of PowerShell and script-based execution for non-administrative users.
- Monitor for known indicators of compromise associated with JanelaRAT, such as specific configurations or dropped files.
- Use threat intelligence feeds to stay updated on evolving campaign TTPs.
Conclusion
JanelaRAT represents a persistent financial threat to Latin American institutions and their customers. By breaking down the infection chain into clear steps, security teams can better anticipate attack patterns and strengthen defenses. The combination of phishing, multi-stage droppers, and DLL sideloading makes it a challenging adversary, but proactive detection and user awareness remain the best countermeasures.