Janela RAT: Financial Cybercrime Campaign Using Fake MSI Installers and Malicious Browser Extensions

Janela Remote Access Trojan (RAT) campaigns leverage fake Windows MSI installers and malicious browser extensions to infiltrate financial networks and exfiltrate sensitive data targeting financial institutions.

The distribution of the latest Janela RAT samples occurs through public GitLab repositories, where attackers host MSI installation files disguised as legitimate software installers (GitLab). Unsuspecting users in Chile, Colombia, and Mexico—the campaign’s primary targets—are lured into downloading these files, believing they are trusted applications from reliable sources.

First identified in mid‑2023, Janela RAT is now believed to be a modified variant of BX RAT, demonstrating advanced techniques for persistence, credential theft, and browser exploitation.

Once executed, the MSI installer initiates a multi‑stage infection process orchestrated through Go, PowerShell, and batch scripts. These scripts unpack a password-protected ZIP archive containing the main Janela RAT executable, a malicious Chromium‑based browser extension, and various supporting components.

Multi‑Stage Unpacking and Configuration

The Go‑based unpacker decodes multiple layers of data, including base64‑encoded command‑and‑control (C2) domains and repository lists, which are written into a local config.json file. A PowerShell or batch script then triggers the RAT executable using a hardcoded filename, launching its core functions. The scripts further identify all installed Chromium browsers such as Chrome or Edge and alter their startup configurations to load the malicious browser extension upon relaunch silently.

The rogue browser extension is central to Janela RAT’s data theft operations. Once activated, it registers a native messaging host that allows direct communication with the RAT’s background processes. Through its CollectRefresh function, the extension gathers extensive data, including:

  • Browser history and cookies.
  • System and session metadata.
  • Installed browser extensions.
  • Tab activity and URL patterns.

If a user visits banking or cryptocurrency platforms, the RAT automatically triggers credential collection routines, exploiting the context for maximum financial gain.

Encrypted C2 Channels and Evasion

Janela RAT connects to remote servers via encrypted WebSocket channels, using dynamically rotated, base64‑encoded C2 domains to evade blacklisting. Its binaries are heavily obfuscated, and the malware employs idle‑state behaviors to appear dormant when not actively stealing data, making detection significantly harder.

Security analysts note that this campaign highlights a renewed effort by financially motivated Latin American threat groups to weaponize software supply channels and browser APIs for large‑scale credential exfiltration.

Organizations and users in the region are urged to:

  • Monitor Indicators of Compromise (IoCs) and unusual outbound network connections.
  • Patch Windows environments thoroughly and enforce multi‑factor authentication.
  • Perform comprehensive threat assessments to uncover vulnerabilities and improve defense posture.

The resurgence of Janela RAT underscores the growing sophistication of Latin American financial cybercrime and the pressing need for proactive, layered security defenses.

Related Articles

Back to top button