ESET researchers have been tracking a newly discovered banking Trojan that has been targeting Brazilian corporate users since 2019, involving multiple industries, including engineering, healthcare, retail, manufacturing, finance, transportation, and government. And other fields. The researchers named the threat Janeleiro.
Janeleiro deceives victims by popping up fake Brazilian bank website windows that contain fake forms designed to induce victims to enter bank credentials and personal information. Janeleiro is written in Visual Basic .NET, which is very different from the banking Trojans written in the Delphi programming language in the region.
According to telemetry data, it can be confirmed that this malware is only targeted at Brazilian corporate users. The attackers sent malicious phishing emails to Brazilian companies. Although these emails were not targeted attacks, they appeared to be sent in small batches. Telemetry data shows that the affected industries include engineering, healthcare, retail, manufacturing, finance, transportation and government.
The phishing email contains a link to the infected server. The page retrieved by this link will be redirected to the ZIP archive download page hosted in Azure, and the zip archive will distribute the Janeleiro banking Trojan. Some of these emails were not redirected through the infected server, but were directed directly to the ZIP archive.
The attack process of Janeleiro is as follows:
The researchers observed the evolution time of the Janeleiro Trojan from 2019 to 2021:
The inconsistency between the timeline and internal version control indicates that the malware has been under development as early as 2018. By 2020, the attacker decided to switch to the previous version of the code, improve it, and improve its command processing program. For use by operators. It can be better controlled during the attack.