JanelaRAT, named from the Portuguese word for "window," is a sophisticated malware family targeting financial and cryptocurrency data from banks and institutions across Latin America. First observed in June 2023, it evolved from the BX RAT trojan, introducing a unique title bar detection mechanism to identify victims' browser pages. Campaigns use multi-stage infection chains initiated by phishing emails with fake invoice links, leading to compressed files that eventually deliver the final payload via DLL sideloading. Below, we answer key questions about this persistent threat.
What is JanelaRAT and how did it get its name?
JanelaRAT is a remote access trojan (RAT) specifically designed to steal financial and cryptocurrency credentials from Latin American banks and financial institutions. Its name comes from the Portuguese word "janela," meaning "window" — a reference to its custom method of detecting target websites by analyzing browser title bars. Unlike generic malware, JanelaRAT zeroes in on specific online banking portals, making it a highly targeted threat. It is a modified variant of the older BX RAT, with significant upgrades in detection evasion and infection efficiency. Kaspersky identifies it as Trojan.Script.Generic and Backdoor.MSIL.Agent.gen, underscoring its dual nature as both a script-based dropper and a backdoor.
How does the initial infection chain begin?
The attack starts with a spear-phishing email that poses as a pending invoice notification. Victims are tricked into clicking a malicious link, which redirects them to a compromised website. From there, a compressed file — often a ZIP archive — is downloaded. This archive typically contains a mix of components such as VBScripts, XML files, other ZIP archives, and BAT files. The goal is to eventually download a second ZIP that includes files for DLL sideloading, ultimately executing JanelaRAT as the final payload. The infection chain is carefully orchestrated to avoid raising suspicion, using legitimate-looking file names and multiple layers of obfuscation.
What role does DLL sideloading play in JanelaRAT attacks?
DLL sideloading is a critical technique used by JanelaRAT to load its malicious code stealthily. In the latest campaigns, attackers deliver an MSI file that drops both a legitimate PE32 executable and a malicious DLL. When the executable runs, it unknowingly loads the rogue DLL — which is actually the JanelaRAT payload — by exploiting the Windows DLL search order. This technique allows the malware to execute under the guise of a trusted application, bypassing security software that might otherwise flag the process. The DLL sideloading component is the core of the final stage, ensuring persistent access and data theft without raising immediate alarms.
How has JanelaRAT's infection chain evolved over time?
Since June 2023, threat actors have continuously refined the infection chain to make it more efficient and harder to detect. Early campaigns involved multiple intermediate scripts and archives, but the latest iteration integrates MSI files as a direct dropper. This reduces the number of steps required to deploy JanelaRAT, streamlining the process. Additionally, auxiliary files such as configuration files have changed over time, helping evade signature-based detection. The evolution shows a logical progression — from component-heavy chains to a more compact delivery that minimizes the malware's footprint on disk. These updates reflect the attackers' ongoing effort to stay ahead of security defenses and improve infection success rates.
What detection names does Kaspersky use for JanelaRAT?
Kaspersky's security solutions detect JanelaRAT under two classifications: Trojan.Script.Generic for its initial script-based stages, and Backdoor.MSIL.Agent.gen for the final .NET payload. This dual detection highlights the malware's hybrid nature — it begins as a script (often VBScript or BAT) that downloads and executes a compiled backdoor written in MSIL (Microsoft Intermediate Language). Users with up-to-date Kaspersky products are protected against both components. The detection names are broad enough to cover variations of JanelaRAT while still alerting administrators to the presence of a financial trojan that targets Latin American institutions.
What makes JanelaRAT different from its predecessor BX RAT?
While JanelaRAT is a modified version of BX RAT, it introduces a key innovation: a custom title bar detection mechanism. This feature scans browser window titles to identify specific online banking or cryptocurrency pages. Once a target site is detected, JanelaRAT performs malicious actions such as injecting fake forms or capturing keystrokes. BX RAT lacked this targeted approach, relying on broader credential theft. Additionally, JanelaRAT's infection chain has been refined to use MSI files for delivery, whereas BX RAT typically used simpler script-based methods. These changes make JanelaRAT more efficient at compromising specific financial institutions while reducing the number of artifacts left on the system.
How do threat actors avoid detection in JanelaRAT campaigns?
Attackers employ multiple evasion tactics throughout the kill chain. The MSI dropper obfuscates file paths and names, hindering static analysis. It creates ActiveX objects to manipulate the file system and execute commands indirectly. The use of DLL sideloading hides the malicious code within a legitimate executable. Furthermore, configuration files are regularly updated, and delivery methods shift — from ZIP archives to MSI installers — to bypass signature-based antivirus. The infection chain also checks for the existence of a first-run indicator file; if absent, the malware proceeds; otherwise, it stops to avoid re-infection or analysis. These adaptive behaviors make JanelaRAT campaigns particularly challenging to track and block consistently.
What are the final payload delivery methods for JanelaRAT?
The final payload delivery has evolved from multi-step scripts to a more direct method. In the latest observed campaigns, an MSI file acts as the initial dropper, installing a legitimate PE32 executable alongside a malicious DLL. When the executable runs, it sideloads the DLL — which is the actual JanelaRAT backdoor. The MSI also sets up persistence by creating a startup shortcut and storing an indicator file. Earlier versions used VBScripts or BAT files to fetch a ZIP containing the sideloading components. Regardless of the method, the end result is a fully functional RAT that communicates with command-and-control servers to exfiltrate financial data from Latin American users.