Kaspersky researchers have identified a new strain of malware, JanelaRAT, that intercepts banking credentials by deploying fraudulent overlays on top of legitimate financial interfaces. The malware monitors user activity to detect when a victim opens a banking window, at which point it launches a deceptive screen to capture passwords and authentication codes.
The software operates by mimicking the look of a legitimate banking environment. This allows attackers to harvest sensitive data while the user remains unaware that their session has been compromised.
“This new version represents a significant advancement in the capabilities of attackers, by combining multiple communication channels, full monitoring of the victim, interactive overlays, input injection, and robust remote control functions,” said Isabel Manjarrez, Security Researcher for Latin America at Kaspersky.
Manjarlarrez noted that the malware is specifically designed to minimize its visibility. It can adapt its behavior to evade detection by anti-fraud software.
Identifying signs of an attack
Users can identify potential attacks by watching for specific irregularities during online sessions. Kaspersky warns that an unusually slow loading screen can be a primary indicator of malicious activity.
Other red flags include windows that simulate Windows updates or unexpected pop-up boxes. Users should be wary if a site requests a password or a security token in a manner that deviates from the bank's standard procedures.
JanelaRAT is engineered to manipulate user perception. It blocks normal interactions and waits for the moment a user is most vulnerable to request critical information.
This threat follows a pattern seen in the Horabot campaign reported by Kaspersky in March. During that incident, researchers discovered an exposed database containing 5,384 victims.
Data from that investigation revealed that 93% of those victims were registered in Mexico. The Horabot campaign used fake CAPTCHA verifications to trick users into executing malicious commands on their computers.
Following the initial infection, the campaign used fake interfaces to imitate known services and extract banking credentials through the same type of deceptive layering used by JanelaRAT.