On Apr. 6, ESET published an advisory on a malware, whcich has been in development since 2018.
Named Janeleiro, the Trojan is focused on Brazil as a hunting ground and has been used in cyberattacks against corporate players in sectors such as engineering, healthcare, finance, retail, and manufacturing.
Operators have also tried to use the malware when infiltrating government systems.
Janeleiro Trojan discovered
According to the advisory published by the researchers at ESET, the Trojan is similar to those that are currently operating across the country, such as Casbaneiro, Mekotio, and Grandoreiro, but it is the first one to be detected that is written in .NET instead of in Delphi, which is more common.
Ssmall batches of phishing emails are sent to corporate targets, pretending to relate to unpaid invoices.
These messages contain links to compromised servers, where victims are encouraged to download a .zip archive hosted in the cloud. If the victim unzips the archive file, a Windows-based MSI installer then loads the main Trojan DLL onto the system.
According to Production Rev, ESET says that in some cases, the URLs have distributed both Janeleiro and other Delphi bankers at different times.
This suggests that either the numerous criminal groups share the same provider for sending spam emails and for hosting their malware, or that they are the same group. The researchers have not yet determine which hypothesis is correct.
The Trojan will first check the geolocation of the target system's IP address. If the country code is other than Brazil, the malware will exit.
But if the target fits the requirement, the malware will collect a variety of operating systems data and will get the address of its command-and-control or C2 server from a GitHub page.
What Janeleiro is used for
Janeleiro is used to create fake pop-up windows on-demand, such as when banking-related keywords are detected on a compromised machine, as per ESET.
The pop-ups are made to appear to be from some of the largest banks across Brazil, and they request the input of sensitive data and banking details from victims.
The malware's command list includes options for controlling windows, killing the existing browser sessions like those that are launched in Google Chrome, capturing screens, keylogging, and hijacking clipboard data.
The operator of the Trojan appears to prefer a hands-on approach and may control the windows remotely and in real-time.
Most malware operators at least make a token attempt to conceal their activities. In this case, the code obfuscation is light but there is no attempt to circumvent existing security software and there are no custom encryption.
The operator uses GitHub, a code repository, to host files containing C2 server lists to manage Trojan infections. These repositories are updated every day.
As of March, four variants of Janeleiro have been detected in the wild, although two of them share the same internal version number.
Some samples have been packaged together with a password stealer in attacks, which suggests that the group behind Janeleiro has other tools in their arsenal, according to the team.
ESET says that GitHub has been made aware of the threat actor's account and abuse of the platform. The page has now been disable and the owner has been suspended.
Read also: SHAREit Alternatives: Security Bugs Still Unpatched, Could Completely Leak Your Personal Data
This article is owned by Tech Times
Written by Sieeka Khan