cybersecurity researchers have disclosed a new banking malware targeting users in Brazil. The malicious software, written in the Rust programming language, represents a significant shift from the Delphi-based tools typically used by threat actors in the region.

First discovered in late March, the malware has been codenamed VENON by Brazilian security firm Morphus Labs. It is designed to infect Windows systems and deploy fraudulent overlay windows on the websites of at least 33 major Brazilian financial institutions.

Technical Operation and Credential Theft

The primary function of the VENON malware is to steal online banking credentials and sensitive financial data. It achieves this by injecting malicious code into a victim’s web browser. When a user visits the website of a targeted bank, the malware presents a fake login page that overlays the legitimate one.

This technique, known as a web inject or overlay attack, is designed to capture usernames, passwords, and two-factor authentication codes. The stolen information is then transmitted to servers controlled by the attackers, enabling them to conduct fraudulent transactions and drain accounts.

A Shift in Malware Development

The use of the Rust programming language is a notable development in the Latin American cybercrime landscape. For years, prominent banking malware families like Grandoreiro and Mekotio have been written in Delphi, a legacy development environment.

Rust offers several advantages for malware authors that may explain this shift. It provides low-level control similar to languages like C and C++, but with built-in memory safety features that can make the resulting malicious code more stable and harder for security analysts to reverse-engineer. Furthermore, Rust’s growing popularity in legitimate software development can help malicious code blend in with normal network traffic.

Distribution and Infection Methods

Initial reports indicate that VENON is distributed through phishing campaigns. These campaigns use deceptive emails that impersonate trusted entities, such as government agencies or utility companies. The emails contain malicious attachments or links that, when opened, download and execute the malware payload on the victim’s computer.

The malware employs persistence mechanisms to ensure it remains installed on an infected system even after a reboot. It also uses anti-analysis techniques to evade detection by security software.

Scope of the Threat and Targeted Institutions

The malware’s target list includes a wide range of Brazilian banks, from large national institutions to major regional players. This broad targeting suggests the attackers aim to maximize their potential victim pool. While the current campaign is focused on Brazil, the technical capabilities of the malware are not geographically limited and could be adapted for use against banks in other countries.

Financial institutions and cybersecurity agencies in Brazil have been notified of the threat. Standard advisories urging customers to be vigilant against phishing attempts and to use official banking applications have been issued.

Next Steps and Mitigation

Security researchers are continuing to analyze the VENON malware to uncover its full capabilities and identify its command-and-control infrastructure. Law enforcement collaboration may be initiated to track the actors behind the campaign.

For the foreseeable future, cybersecurity firms expect to see increased monitoring for Rust-based threats in the financial sector. Organizations and individuals are advised to maintain updated antivirus software, implement multi-factor authentication where available, and exercise extreme caution with unsolicited email attachments and links.

Source: Morphus Labs