Security researchers ESET they discovered a new one banking Trojan, with the name Janeleiro, which targets agencies and government agencies in Brazil.
The researchers published one report about the trojan.
Janeleiro Trojan appears to be focused on Brazil and has been used in cyberattacks against organizations in industries such as healthcare, engineering, retail and the economy. The criminals behind the malware have tried to use it for breach of government systems.
According to ESET researchers, the Janeleiro Trojan is similar to other trojans used in the country, such as CasbaneiroThe Grandoreiro and Mekotio, but it is the first that is written in .NET instead of Delphi, which is the usual.
The trojan is distributed through Phishing emails, which are sent to corporate targets and are said to be related to unpaid invoices. These messages contain links to compromised servers and lead to download a .zip file hosted in the cloud. If the victim unzips this archive file, a Windows-based MSI installer loads the master Trojan DLL.
"In some cases, these URLs distribute both Janeleiro and other trojans at different times.Says ESET. "This suggests that either the different criminal groups share the same provider for sending spam emails and hosting their malware, or that they are the same group behind all the trojans. We have not yet determined which hypothesis is correct".
The Janeleiro Trojan first checks the geographical location of the target. If the country code is different from that of Brazil, the malware stops. However, if it sees that the target is in Brazil, the malware will collect a series of data operating system and will get the address of the command-and-control (C2) server from a dedicated GitHub page.
Janeleiro is used to create fake pop-ups designed in such a way that seem to come from some of the largest banks in all of Brazil and request the entry of personal and banking information from the victims.
The banking trojan has various possibilities, including the collection of clipboard data, keylogging, screen capture, etc.
As of March, four variants of Janeleiro have been identified, although both have the same internal version number. Some samples have been combined with one password stealer, which suggests that “the team behind Janeleiro has other tools in its arsenal", According to the researchers.
According to ESET malware operators use GitHub, which has been informed about the hackers' account and the abuse of the platform. The page has now been disabled and the owner has been suspended.
"GitHub appreciates the contributions of our research community and is committed to exploring security issues", Said a representative of GitHub to ZDNet. "We deactivated the page in accordance with our Acceptable Use Policies, after reporting that our platform was being used for malicious purposes".