Janela RAT Campaign Uses Fake MSI and Malicious Browser Extensions to Steal Data
Key Takeaways A new Janela RAT campaign is actively targeting financial institutions and cryptocurrency platforms in Latin America, particularly in Chile, Colombia, and Mexico. Attackers are...
Key Takeaways
- A new Janela RAT campaign is actively targeting financial institutions and cryptocurrency platforms in Latin America, particularly in Chile, Colombia, and Mexico.
- Attackers are deploying the remote access trojan via seemingly legitimate fake MSI installer files and malicious browser extensions.
- The malware, a likely variant of the older BX RAT, employs a sophisticated multi-stage infection process, including Go, PowerShell, and batch scripts.
- Janela RAT evades detection through encrypted communications, dynamic C2 address rotation, and periods of inactivity, making it a persistent threat.
- The campaign aims to steal credentials, bypass authentication, and gain unauthorized access to financial accounts, posing significant operational and reputational risks to affected organizations.
Janela RAT Targets Latin American Financial Sector with Sophisticated Multi-Stage Attacks
A sophisticated new malware campaign leveraging the Janela Remote Access Trojan (RAT) is actively compromising financial institutions and cryptocurrency platforms across Latin America. Threat actors are employing deceptive MSI installer files and malicious browser extensions to infiltrate systems, aiming to exfiltrate sensitive financial data from victims. This campaign primarily targets users and organizations in Chile, Colombia, and Mexico.
Table Of Content
First observed in mid-2023, Janela RAT is believed to be an enhanced version of the previously known BX RAT, featuring advanced capabilities. The financially motivated attackers behind this operation are focused on stealing credentials and gaining illicit access to various accounts.
Analysts at KPMG have identified the advanced, multi-stage nature of these attacks, highlighting a significant threat to the region’s financial infrastructure. Researchers noted that Janela RAT effectively conceals itself as legitimate software hosted on public GitLab repositories, complicating early detection for users. The malware’s ability to covertly manipulate installed browsers and maintain encrypted communications with attacker-controlled servers makes its containment particularly challenging.
The campaign’s impact extends beyond mere data theft. By gaining access to browsers, attackers can harvest cookies, saved credentials, and browsing history, providing a comprehensive view of a victim’s financial activities. This extensive access enables threat actors to bypass multi-factor authentication, take over accounts, or monitor financial transactions in real-time, often without the victim’s knowledge. For banking and fintech organizations, such deep infiltration presents severe operational and reputational risks.
Janela RAT’s dangerous efficacy stems from its combination of multiple scripting tools and layered evasion techniques. Its use of encrypted command-and-control (C2) communications and behavior designed to mimic normal browser activity makes it exceptionally difficult for conventional security tools to detect and neutralize.
Multi-Stage Infection and Browser Hijacking
The infection process initiates when a user executes what appears to be a standard software installer in MSI format. These malicious installers are strategically hosted on public GitLab repositories, designed to appear legitimate and trustworthy. Upon execution, the installer triggers a complex sequence of scripts written in Go, PowerShell, and batch, each contributing to the attack’s setup.
A Go-based unpacker then decrypts a password-protected ZIP archive, decodes base64-encoded C2 domain information, and stores this critical data in a config.json file, essential for the campaign’s ongoing operations.
Concurrently, the scripts scan the compromised system for Chromium-based browsers, silently modifying their startup configurations to load a malicious extension without user awareness. This extension registers itself as a native messaging host, utilizing a built-in function named CollectRefresh. This function is responsible for gathering a wide array of sensitive data, including system specifications, browser cookies, browsing history, installed extensions, and open tab details. Furthermore, the extension actively monitors for specific URL patterns, such as banking or cryptocurrency login pages, to trigger additional RAT actions when a match is identified.
To maintain stealth, Janela RAT establishes encrypted WebSocket connections to its C2 servers, using obfuscated, base64-encoded domain names. The malware also dynamically rotates its C2 addresses and remains dormant during inactive periods, tactics designed to circumvent behavior-based security alerts. These combined techniques allow the malware to persist undetected for extended durations.
What You Should Do
- Proactively monitor your environment for known Indicators of Compromise (IoCs), including domains, IP addresses, and file hashes associated with this Janela RAT campaign.
- Ensure all Windows operating systems and applications are fully patched and updated, and enforce multi-factor authentication (MFA) across all accounts, especially for financial services.
- Conduct regular, full-spectrum threat assessment exercises to identify and address any blind spots or vulnerabilities within your organization’s security posture.
- Educate users on the dangers of downloading software from unverified sources and recognizing phishing attempts that might distribute fake MSI installers.
- Implement robust endpoint detection and response (EDR) solutions capable of identifying anomalous browser activity and encrypted C2 communications.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.