Our final blog as part of our ongoing ransomware series highlights JanelaRAT as the third major threat ECI’s threat hunters have been profiling as we help clients recognize and address the top ransomware attacks today. Along with BlackCat/ALPHV and Lockbit 3.0, which we covered in previous blogs, JanelaRAT is devastating IT systems of its victims. Let’s explore JanelaRAT's particular danger to financial sector targets, and how ECI is advising and protecting clients to guard against this potent ransomware threat.
JanelaRAT is a Dangerous and Elusive Threat
In August, the ECI threat hunting team conducted a proactive analysis of the emerging JanelaRAT threat targeting users in the FinTech sector within the LATAM region. Our research uncovered a dangerous pattern where – after infecting target systems with malicious VBScript sent inside ZIP archives – JanelaRAT unleashes a multi-stage attack methodology that includes DLL side-loading and other aggressive tactics, techniques and procedures (TTPs).
Furthermore, JanelaRAT installs a sophisticated command and control (C2) infrastructure that allows malicious actors to orchestrate and manage attacks remotely on an ongoing basis. This includes a mouse synthesis mode that enables remote control of the mouse to simulate clicks and double-clicks, which could be used to interact with the system as if the attacker were physically present.
As mentioned, JanelaRAT targets the LATAM region, primarily financial and cryptocurrency data from bank and financial institutions. While its exact authors remain unclear, clues to JanelaRAT’s origins were found soon after the ransomware surfaced in June of this year; some underlying source code strings written in Portuguese, indicating that the threat actors who developed JanelaRAT are familiar with that language.
Comprehensive Protections for an Elusive Threat
JanelaRAT’s overall capacity to hide its activities in targeted systems necessitates a comprehensive approach to detection and response. The strain’s ability to execute DLL site-loading from legitimate sources such as VMWare and Microsoft helps evade endpoint monitoring tools. The malware also employs string encryption; can transition to an idle state to avoid detection; and some JanelaRAT script even appears to use Windows Task Manager to launch itself and then self-destruct after performing its tasks to further obscure its activities.
Against this backdrop, ECI is helping clients battle JanelaRAT with rigorous methodologies involving controlled sandbox environments and advanced detection protocols to unearth signs of attack and proactively mitigate potential risks posed by JanelaRAT’s enigmatic VBScript. We’re also helping clients strengthen behavior-based detection mechanisms that can identify suspicious activities even if the malware's signature is not yet known.
These highly-targeted efforts are backed up by broader ECI support for clients that includes optimizing operating systems, applications and security software to ensure the entire IT estate is up to date with the latest patches, updates and definitions. We also implement application whitelisting to allow only approved software to run on client systems, thereby preventing unauthorized or malicious software execution. And ECI’s partnership with Zero Networks for advanced microsegmentation services tailored to our financial sector clients can prevent unauthorized lateral movement and stop ransomware in its tracks.
Finally, as sophisticated as JanelaRAT may be, it still relies on phishing and other social engineering tactics to dupe users into clicking on a malicious link. That’s why ECI is supporting clients with industry-leading training and workforce education for their employees about the risks of opening suspicious emails or downloading files from untrusted sources. Taken together, ECI’s combined efforts are helping clients take a proactive and multi-faceted approach to protecting against JanelaRAT as a particularly virulent and devastating ransomware threat to financial firms.
