malware

Janeleiro – a new banking Trojan targeting Brazil

ESET researchers have been tracking a newly discovered Trojan that has been targeting Brazilian corporate users since 2019, involving multiple industries, including engineering, healthcare, retail, manufacturing, finance, transportation, and government. And other fields. The researchers named the threat Janeleiro.

Janeleiro deceives victims by popping up fake Brazilian bank website windows that contain fake forms designed to induce victims to enter bank credentials and personal information. Janeleiro is written in Visual Basic .NET, which is very different from the Trojans written in the Delphi programming language in the region.

According to telemetry data, it can be confirmed that this malware is only targeted at Brazilian corporate users. The attackers sent malicious emails to Brazilian companies. Although these emails were not targeted attacks, they appeared to be sent in small batches. Telemetry data shows that the affected industries include engineering, healthcare, retail, manufacturing, finance, transportation and government.

The email contains a link to the infected server. The page retrieved by this link will be redirected to the ZIP archive download page hosted in Azure, and the zip archive will distribute the Janeleiro Trojan. Some of these emails were not redirected through the infected server, but were directed directly to the ZIP archive.

janeleiro

The attack process of Janeleiro is as follows:

janeleiro

The researchers observed the evolution time of the Janeleiro Trojan from 2019 to 2021:

janeleiro

The inconsistency between the timeline and internal version control indicates that the malware has been under development as early as 2018. By 2020, the attacker decided to switch to the previous version of the code, improve it, and improve its command processing program. For use by operators. It can be better controlled during the attack.

IOCs

52.204.58.11
35.174.60.172
178.79.178.203
138.197.101.4


cf117e5ca26594f497e0f15106518fee
d16ac192499192f06a3903192a4aa57a
462d6ad77860d3d523d2cafbc227f012
0a5bbec328fdd4e8b2379af770df8b18
0aa349050b7ef173bfa34b92687554e8
5b19e2d1950add701864d5f0f18a1111
186e590239083a5b54971cab66a58301
e1b2fd94f16237379e4cad6832a6fce7
4061b2fbeb7f1026e54ee928867169d1
8674e61b421a905da8b866a194680d08
2e5f7d5f680152e738b8910e694651d4
c3550501c26c3e0381958f64f744f60e
06e4f11a2a6ef8284c6aac5a924d1864
291a5f0df18cc68fa0da1b7f401ead17
fb246a5a1105b83dfa8032394759dbc2
349e81b7b6ab88c76f16a1844f864385
3a3a774fd04f151f0c0f21842e9abbbf
19c643aedb930df07f9156a731391da7
e5eddc8f7c5ed25fc467a2cbd1d67eb3
87828a7339077f33da64bb20271ae24e
a94b4eea6c49a4075e0a6afbfeede25e
277b390de7617989231cc1e6a7affb7c
bd900ffa05eb6f544eed31402d492913
6f6ff405f6da50b517e82ff9d1a546d8
742e0aedc8970d47f16f5549a6b61d83
5d092afb9f6125c32fabc3cd3d88ade3
e5fe4fc12d474db109029c174c3a1d33
0601da1daaa18a7972f8b7f96fffa93d
53e439602dde84e98d60ad1a4d90d89c
d92d98daa3a2a483e9d079d6b911a0c4
d82917276c295fb987b8e89e958bdfa0
3cfe43789105a339181b900128799f86
3edccbb31815f8edd62b38894ec16c36