Download Windows 7 Pro Oa Latam Iso

[Beltran Mathews]

JanelaRAT mainly targets financial and cryptocurrency data from LATAM bank and financial institutions," Zscaler ThreatLabz researchers Gaetano Pellegrino and Sudeep Singh said, adding it "abuses DLL side-loading techniques from legitimate sources (like VMWare and Microsoft) to evade endpoint detection."

The exact starting point of the infection chain is unclear, but the cybersecurity company, which discovered the campaign in June 2023, said the unknown vector is used to deliver a ZIP archive file containing a Visual Basic Script.

JanelaRAT, for its part, employs string encryption and transitions into an idle state when necessary to avoid analysis and detection. It's also a heavily modified variant of BX RAT, which was first discovered in 2014.

One of the new additions to the trojan is its ability to capture windows titles and send them to the threat actors, but not before registering the newly-infected host with the command-and-control (C2) server. Other features of JanelaRAT allow it to track mouse inputs, log keystrokes, take screenshots, and harvest system metadata.

"JanelaRAT ships with just a subset of the features offered by BX RAT," the researchers said. "The JanelaRAT developer didn't import shell commands execution functionality, or files and processes manipulation functionalities."

The links to LATAM come from references to organizations operating in the banking and decentralized finance verticals and the fact that the VBScript uploads to VirusTotal originated from Chile, Colombia, and Mexico.

"The usage of original or modified commodity Remote Access Trojans (RATs) is common among threat actors operating in the LATAM region," the researchers said. "JanelaRAT's focus on harvesting LATAM financial data and its method of extracting window titles for transmission underscores its targeted and stealthy nature."

"I got a work Mac with a German keyboard and was struggling to do all my shortcuts as well as finding the symbols. These stickers truly saved my working life, (...) the stickers are mat and not glossy which is actually WAY better cause they don't get finger prints on them and always look clean compared to the actual Mac keys. I 100% recommend them!"

"Service and product quality at their very best. I can now transform my two french Azertys (Imac27 and Macbook) into Korean Qwertys at the switch of a button. The stickers quality is insane, it's clean and strong, I can still clean up my keyboards, and I use them everyday. The team is adorable. Many thanks from France!"

"Bought a new laptop and discovered that the keys were a very light grey on grey. Could not see letters, numbers etc. Ordered Black/White decals and it makes all the difference in the world. Took a few weeks to arrive, I highly recommend them. Applying them was easy!"

Keyboard stickers with Spanish (Latin America) captions/letters. Stickers are designed to match "Spanish" and "Latin American" keyboard layouts on Mac, "Latin American" layout on Windows, and "latam" on Linux.

"I ordered these decals to cover the worn-off letters on my Mac keyboard. I ended up putting them on all the keys so it would uniform. The decals were easy to apply and I had no difficulty getting used to the feel. The decals saved me from having to buy a new $100 keyboard. Thank you!"

"I bought quite a special keyboard not fitting any regular stickers but they went extra mile to look in details at it and make highly tailored stickers to match it exactly. Communication was absolutely great and productive so I can really recommend it. Well done!"

"Some time ago I bought a laptop on sale, the only downside being it having a spanish keyboard; since I wanted a US keyboard instead, I bought a set of generic stickers, but the result was questionable at best: they were way too small for my keyboard, and they also were quite different from the original keys. I then searched the internet for a set of stickers specifically tailored for my notebook, I found Keyshorts, and decided to give it a try. Sure, a set of stickers costed more than the generic one, but, boy, the Keyshorts one deserves every cent. The stickers replicate the original keys in every detail, including the exact size of every keycap and the font of the characters. They are also reasonably easy to apply. I strongly recommend these stickers"

During the analysis of the artifacts provided by the SOC team, 20 different spam campaigns were identified, which targeted Chile, Mexico, Peru, and Portugal. These campaigns focused on credential stealing, specifically online banking, schools, government services, social media, gaming, ecommerce, public repositories, and Outlook email.

In several cases, the cyber criminals created fake webpages for the victim, such as online banking windows. For the initial infection, the attackers tried to lure the victims into opening different types of fake bills via HTML pages or PDF password-protected files. An example of a PDF file targeting Mexican users is below:

Almost every sector was affected, across Financial, Government, Retail, Health and Entertainment. If you are interested to know if credentials from your domains were stolen, please check the the full list of websites affected here: -Offensive-Security/Blogs/blob/main/Mispadu/Mispadu_sites_only_2023.txt

The techniques, tactics and procedures (TTPs) used during these campaigns resembles the banking trojan Mispadu, however contains new components that have not been seen before. We will go into further detail in this blog.

Based on our analysis of the malware, it is clear that the group is very familiar with the main banks and institutions in the targeted Latin American countries. Multiple Spanish words found in their malware suggest that several of the programmers may be Latinos, and specifically may be from Chile based on the slang utilized in the comments.

Every C2 Server holds a list of infected machines (Recon action at step 6 in the diagram above), this help us to identify the type of endpoint protection that Mispadu was able to bypass, below an extract of this file which shows: Date and time of infection, source IP address from victim, country code, Windows OS version, type of payload dropped (AutoIt), and Endpoint protection software installed:

Microsoft Defender, Acronis Cyber Protect, Avast Total Security, Bitdefender Endpoint Security, Carbon Black Cloud, Cisco Secure Endpoint, ESET NOD32, F-Secure, FortiClient, Kaspersky, Malwarebytes, McAfee Anti-Virus, Norton Antivirus/Security Ultra, Panda Dome, Reason Cybersecurity, Sentinel Agent, Sophos Home, Spybot, Symantec Endpoint, Total AV, Trellix Endpoint, 360 Total Security, Avira Security, Baidu Antivirus, COMODO Antivirus, Cybereason AV, Cylance PROTECT and AVG Antivirus.

At Metabase Q, we are focused on constantly updating our systems and protection strategy for new attackers and techniques. Following this discovery, our team and platform rapidly integrated the Mispadu techniques into our Batuta Platform for optimal detection and response:

To avoid getting lost in the multiple infection chain steps, the sequence will follow the order shown at Figure 2. The analysis will be based on one of the campaigns seen, however, the same process applies to all the other ones.

Step 1: Opening the HTML attachment received via spam email, a highly obfuscated file is received, it performs two main tasks, validates the file was not open from a mobile device, then redirects to [.]click/ site to download the first stage malware.

Step 2: Once the victim clicks on the malicious link, it gets redirected to another site, where a ZIP or RAR archive will be downloaded. By looking at code at the C2 Server side, there are three validations done before serving this file:

If all validations pass, a RAR file is going to be downloaded, with a hardcoded prefix per campaign and a random sequence of numbers, in the figure below, a file with the name doc-Impuestos_.rar will be created:

In this function, the first thing done is to send the running apps. Then the screen is going to be blocked, this is going to block the user from using the machine. Important to note that control of a window is taken from the selected application by the attackers. From here, the attacker can control the mouse, read the keystrokes, take screenshots, etc.

Another main and interesting functionality is the survey command. This command could trigger a fake bank login. In figure 27 we can see that it is going to call the OpenSurvey function which receives an URL as a parameter.

This function is going to take the URL and load the content from it, then it is going to open a new window and will lock the background so that the victim will only be able to interact with that window. The survey object is a C# Form that only opens a Web Browser to visit the URL received.

The loaded HTML is going to work as intended, resources are going to be loaded and requests are going to work. In the command the relative size of the window, so it can take the full size of the screen or only a part.

3a8082e126