JanelaRAT is a sophisticated financial malware that has been actively targeting users in Latin America since mid-2023. Designed to steal cryptocurrency and banking credentials, this threat leverages a multi-stage infection chain and constantly evolves to evade detection. Below are seven essential facts you need to understand about JanelaRAT, from its origins to how it operates and how you can stay protected. Each fact dives into a different aspect of this dangerous malware, reflecting the key insights from cybersecurity research.
1. What Is JanelaRAT and Who Does It Target?
JanelaRAT takes its name from the Portuguese word for “window” (janela), hinting at its focus on Latin American victims. This remote access trojan (RAT) is specifically crafted to extract financial data and cryptocurrency information from banks and financial institutions operating in the region. Since its emergence in June 2023, JanelaRAT has become a persistent threat, with attackers continuously updating its capabilities. The malware is a modified variant of the older BX RAT, but it introduces unique features that make it particularly dangerous for online banking users in Latin America.
2. How JanelaRAT Differs from Its Predecessor, BX RAT
Unlike its predecessor BX RAT, JanelaRAT employs a custom title bar detection mechanism. This allows the malware to identify specific websites (such as banking portals) inside the victim’s browser by reading the window title. Once detected, JanelaRAT can perform malicious actions like injecting fake login forms or capturing keystrokes. This targeted approach makes it far more effective for stealing financial credentials compared to generic trojans. Additionally, the threat actors behind JanelaRAT are constantly refining the malware—adding new features and streamlining the infection chain to stay ahead of security measures.
3. The Infection Chain Begins with Deceptive Invoice Emails
JanelaRAT campaigns typically start with phishing emails that impersonate pending invoice notifications. Victims are tricked into clicking a malicious link that downloads a PDF file or redirects them to a compromised website hosting a compressed archive. Inside these archives, researchers have found a mix of VBScripts, XML files, ZIP archives, and BAT files. The ultimate goal is to deliver a ZIP file containing components for DLL sideloading, which then executes the JanelaRAT payload. This multi-stage approach makes initial detection difficult, as each step is designed to evade traditional email and web filters.
4. The Evolution of the Dropper: From Scripts to MSI Files
In the latest observed campaigns, the infection chain has evolved to use Microsoft Installer (MSI) files as the initial dropper. This MSI file installs a legitimate PE32 executable alongside a malicious DLL—the actual JanelaRAT payload—which is then sideloaded by the executable. The dropper obfuscates file paths and names to hinder analysis. It also creates ActiveX objects to manipulate the file system, defines environment variables for hosting binaries, and sets up a startup shortcut for persistence. This streamlined approach reduces the number of installation steps, making the attack more efficient.
5. Persistence and Evasion: How JanelaRAT Stays Hidden
To ensure long-term access, JanelaRAT establishes persistence by creating a shortcut in the Windows startup folder. It also stores a first-run indicator file to track whether the malware has already executed. The dropper checks for the existence of this file and a specific directory before proceeding, preventing repeated infections on the same machine and avoiding unnecessary noise. Over time, the attackers have added auxiliary files—like configuration files—that change periodically to adapt to new detection methods. These evasive tactics help JanelaRAT remain undetected while it siphons sensitive financial data.
6. Continuously Updated Infection Chains and Components
One of the defining characteristics of JanelaRAT campaigns is the continuous evolution of the infection chain. Researchers have observed a logical progression where components like MSI files were integrated over time, replacing older scripts that required more steps. The use of different obfuscation techniques and auxiliary configuration files shows how the threat actors actively respond to security updates. This agility makes JanelaRAT a moving target, as each new variant may use a slightly different delivery method, payload structure, or persistence mechanism. Staying protected requires up-to-date security solutions that can detect behavioral anomalies rather than static signatures.
7. Detection and Protection Against JanelaRAT
Kaspersky security solutions detect JanelaRAT under the names Trojan.Script.Generic and Backdoor.MSIL.Agent.gen. To protect against this threat, users should be cautious with unsolicited invoice emails, avoid clicking suspicious links, and keep their systems and antivirus software updated. Organizations in Latin America should implement email filtering that blocks known malicious attachments and educate employees about social engineering tactics. Since JanelaRAT relies on DLL sideloading, disabling unnecessary autorun scripts and monitoring process behaviors can also help prevent infections. Regular backups and multi-factor authentication add extra layers of security against credential theft.
JanelaRAT is a clear example of how cybercriminals tailor malware to specific regions and industries. By understanding its infection methods and evolution, both individuals and businesses can take proactive steps to safeguard their financial data. Vigilance, combined with robust cybersecurity practices, remains the best defense against this and other emerging threats in Latin America.