Janeleiro a New Banking Trojan Targeting Corporate, Government Targets – E Hacking News
A banking Trojan has been found out by cybersecurity researchers, which has targeted many organizations across the state of Brazil.
An advisory has been released on Tuesday by ESET on the malware that was being developed in 2018.
According to cyber intelligence, the Trojan named Janeleiro primarily focused on Brazil and launched multiple cyber attacks against corporate giants in various sectors such as engineering, healthcare sector, finance, retail, and manufacturing. Notably, the threat actors who are operating the banking trojan have also made attempts to get access into government systems using the malware.
According to the researchers, the Trojan is similar to other Trojans that are currently being operated across the state, specifically in Grandoreiro, Casbaneiro, and Mekotio, to name a major few.
Janeleiro enters into smart devices similar to most malware, however, some features are different. First, Phishing emails will be sent in small batches, masked as unpaid invoices of the firm. These emails contain links that compromise servers into the system and download a .zip archive hosted in the cloud. If the target opens the archive file, a Windows-based MSI installer then loads the main Trojan DLL into the system.
“In some cases, these URLs have distributed both Janeleiro and other Delphi bankers at different times,” ESET says.
“…This suggests that either the various criminal groups share the same provider for sending spam emails and for hosting their malware, or that they are the same group. We have not yet determined which hypothesis is correct.”
Interestingly, the Trojan first checks the geo-location of the targeted system’s IP address. If the state code is Brazil and it remains and runs its operation but if it is other than Brazil then the malware will exit automatically.
Janeleiro is being used to frame fake pop-up windows “on-demand,” such as when operators compromised banking-related keywords from its machine. Once the operators get access to the system then they ask for sensitive credentials and banking details from targets.