ESET published a report in which the antivirus maker details a new banking Trojan targeting corporate targets across Brazil.
Developers of the malware, which has been in development since 2018, don’t seem to care about staying undetected.
The Trojan, dubbed Janeleiro, has been spotted in attacks against corporate players in such sectors as engineering, healthcare, retail, finance, and manufacturing. It has also been used in attempts to infiltrate government systems. According to the researchers, there are other Trojans similar to Janeleiro currently operating in the country – Casbaneiro, Grandoreiro, and Mekotio written in Delphi, but Janeleiro is the only one written in .NET.
Attacks start with phishing emails relating to unpaid invoices and containing links to compromised servers and to a download page for a .zip archive hosted in the cloud. Once the victim unpacks this archive file, this then loads the main Trojan DLL. Sometimes, the attackers distributed other Trojans written in Delphi.
“In some cases, these URLs have distributed both Janeleiro and other Delphi bankers at different times,” ESET says. “This suggests that either the various criminal groups share the same provider for sending spam emails and for hosting their malware, or that they are the same group.”
The Trojan checks the victim’s location by checking the target system’s IP address. If it is not Brazil, the malware exits. Otherwise, the malware will proceed to collect operating system data. Janeleiro also can create pop-up windows in certain situations, for example, when it detects banking-related keywords. These pop-ups mimic the looks of some of the largest banks across Brazil and have input fields for sensitive banking details.
The other functions of the malware include controlling windows, capturing screens, keylogging, hijacking clipboard data.
Researchers note that attackers implemented some light code obfuscation but made no attempt to circumvent security software and used no encryption.
Researchers have seen four variants of Janeleiro in the wild. Some contain a password stealer, which, researchers believe, suggests that “the group behind Janeleiro has other tools in their arsenal.”