JanelaRAT Exposed: How Cybercriminals Target Latin American Finances

JanelaRAT is a dangerous malware strain that specifically targets financial and cryptocurrency users in Latin America. First spotted in June 2023, it evolved from the BX RAT family and uses clever tricks like title bar detection to steal banking data. Below, we answer key questions about this threat, its infection methods, and how you can stay safe.

What is JanelaRAT and why does it target Latin America?

JanelaRAT (named from the Portuguese word for “window”) is a remote access trojan designed to steal financial information from banks and cryptocurrency platforms in Latin America. It emerged in mid-2023 as a modified variant of the older BX RAT. The malware focuses on users in this region because threat actors exploit local gaps in cybersecurity awareness and language barriers. By capturing login credentials and transaction data, attackers can drain accounts or carry out fraud. Kaspersky detects it as Trojan.Script.Generic and Backdoor.MSIL.Agent.gen. It continuously updates to avoid detection, making it a persistent danger for Latin American users.

How does JanelaRAT initially infect a victim’s computer?

Infection begins with a phishing email that pretends to be about unpaid invoices. The email contains a link to a fake PDF file, which redirects the victim to a malicious website. From there, a compressed file (ZIP, RAR, etc.) is downloaded. Inside, attackers pack a mix of VBScripts, XML files, BAT scripts, or even other ZIP archives. These scripts eventually download a final ZIP that includes components for DLL sideloading. Once executed, the sideloading technique loads JanelaRAT as the primary payload. This multistage chain makes detection harder because each step looks harmless on its own.

What makes JanelaRAT different from its predecessor BX RAT?

The key difference lies in JanelaRAT’s custom title bar detection mechanism. While BX RAT used traditional methods to identify financial websites, JanelaRAT reads the title bar of the victim’s browser window. This lets it match exactly against a list of targeted banks and crypto platforms. If a match is found, the malware triggers actions like keylogging, screen captures, or form grabbing. Additionally, JanelaRAT’s code is more streamlined and uses fewer installation steps than BX RAT, reflecting efforts by its developers to simplify the attack process and reduce the chance of errors.

How has the infection chain evolved over time?

Since June 2023, attackers have refined the delivery method. Early campaigns used a heap of VBScripts, XML, and BAT files. In later versions, they integrated MSI files specially crafted to act as an initial dropper. The MSI hides file paths and names to thwart analysis, then creates ActiveX objects to manipulate the system. It sets up persistence via startup shortcuts and stores a first-run indicator. Over time, auxiliary files like configuration files have also changed to avoid antivirus detection. Overall, the infection chain has become shorter and more automated, making it easier for attackers to deploy JanelaRAT at scale.

What financial data does JanelaRAT steal and how does it recognize targets?

JanelaRAT primarily aims for login credentials, passwords, and cryptocurrency wallet details from specific banks and financial platforms in Latin America. It recognizes its targets by reading the title bar of the open browser window. When a victim visits a bank’s website, the malware checks if the title matches predefined patterns. If yes, it activates modules for keystroke logging, screenshot capture, or injecting malicious code into the browser. This method is more precise than URL matching because title bars often include the bank’s name directly. The stolen data is then exfiltrated to a command-and-control server controlled by the attackers.

How can users and organizations protect themselves against JanelaRAT?

Protection starts with email vigilance—never click on unexpected invoice links. Use a reliable security solution like Kaspersky, which detects JanelaRAT under its generic signatures. Keep all software updated, especially browsers and PDF readers. Enable multi-factor authentication on financial accounts to limit damage even if credentials are stolen. For businesses, restrict DLL sideloading paths via security policies and monitor for unusual MSI installations. Regular security awareness training for employees in Latin America can reduce the risk of falling for sophisticated phishing lures. Since JanelaRAT constantly evolves, staying informed about new variants is crucial.