In a significant development in cybersecurity, Banana RAT, a notorious remote access trojan linked to Brazilian banking fraud, has advanced its evasion tactics. A recent operation reveals the use of an exposed server to generate polymorphic malware variants, posing a greater challenge for security teams.
Advanced Infrastructure of Banana RAT
The operation utilizes a server that not only hosts malicious files but also actively generates new, disguised payloads. This system was uncovered by researcher Moises Cerqueira, who identified a public index on a single IP address through routine internet scans. The server functions as a dynamic delivery platform, equipped with a payload generator and obfuscation scripts.
According to ANY.RUN, this infrastructure enabled the creation of two distinct Banana RAT versions within a matter of weeks. This adaptability allows the malware to continuously alter its appearance, complicating detection efforts by defenders.
Technical Evolution of the Malware
Analysts executed the exposed setup in a sandbox to trace the malware’s evolution between late May and early June 2026. The server powered both versions, providing insights into the operator’s real-time refinement of evasion techniques. This ongoing transformation means that detection rules based on static samples are less effective.
The malware specifically targets financial transactions, aiming to steal banking credentials. Its ability to regenerate in new forms undermines traditional blocklist defenses, highlighting the need for more sophisticated security measures.
Detailed Analysis of Malware Versions
The initial version of Banana RAT used predictable file names and folders resembling legitimate Windows updates, which made it somewhat identifiable. In contrast, the latest version adopts random file names and folders, with persistence mechanisms shifting to a VBS launcher and hidden tasks with system-level privileges.
Communication with attacker servers is conducted over encrypted WebSocket channels, leveraging unique identifiers for each infected machine. Despite these changes, a fallback IP address remains constant, linking all versions to the same infrastructure.
Security teams are advised to monitor traffic from known indicators and investigate any suspicious PowerShell activity.
Conclusion and Future Outlook
This operation underscores the evolving nature of cyber threats and the necessity for continuous adaptation in defense strategies. Tracking the evolution of Banana RAT through its infrastructure provides a clearer picture of its tactics, enabling better preparation against future attacks. Enterprises are encouraged to integrate live threat feeds and collaborate with SOC teams to enhance their proactive defense capabilities.
