A new banking trojan named Janeleiro has been discovered by security researchers at ESET which is targeting Brazilian corporate users.

Banking Trojan Janeleiro:

According to researchers, the Janeleiro banking trojan has been active since at least 2019 and has been victimizing corporate users in various sectors such as engineering, healthcare, retail, manufacturing, finance, transportation, and governmental institutions.

Detailing the banking trojan, it dupes the targets by sending them pop-up notifications and windows while disguising itself as some of the leading Brazilian banks.

Subsequently, a victim is misled by the malware and made to register their private data including banking credentials.

Dangerous abilities of Janeleiro:

The banking trojan has been reported to have the ability to control and handle on-screen windows, track and steal data about them, kill chrome.exe screen capture, as well as keylogging control keys and mouse movements, and it can hijack clipboards to change bitcoin addresses with those of the cybercriminals in real-time. 

Role of ESET:

ESET is reportedly carrying out analysis and research that is tracking prominent banking trojan malware families that are specifically targeting the Latin American region.

Seemingly, Janeleiro is also tailoring similar schemes as that for malware families for its focal execution.

But, the basic building structure that set the Janeleiro banking trojan apart from the others is its coding language.

Also read,

While the other banking trojans have all been analyzed to be coded in Delphi, the Janeleiro banking trojan has been coded .NET. Other characteristics that set Janeleiro apart include no obfuscation, no custom encryption, and no defenses against security software. 

Almost all of the banking trojan Janeleiros commands or instructions are deployed for the control of the pop-up windows, the mouse, and the keyboard.

Discovering and analyzing Janeleiro:

“The nature of a Janeleiro attack is not characterized by its automation capabilities, but rather by the hands-on approach: in many cases, the operator must adjust the pop-up windows via commands executed in real-time,” noted ESET researcher Facundo Muñoz, who had detected Janeleiro. 

‘It appears that banking trojan was under development as far back as 2018, and in 2020, improved its command processing to give the operator better control during the attack,’ adds the ESET researcher. 

He is also of the opinion that the rather speculative nature of Janeleiro arriving back and forth creates the argument that the malicious actor deploying the banking trojan is still attempting to find an efficient way to manage his tools however appears to be well revised with the trailing of the malware families in Latin America.

It has also been detected that the malicious actor has been utilizing GitHub to store its modules, control its website, as well as upload new repositories every day where it stores the files with the lists of its C & C servers that the trojans retrieve to connect to their operators. 

When one of the banking-related keywords is found on the target’s device, it promptly tries to retrieve the addresses of its C & C servers from GitHub and connects to them. These made-up pop-up windows are created dynamically,on-demand, and controlled by the malicious actor using commands. 

ESET has reportedly alerted GitHub of these mal-activities, however, the repository website is yet to respond.