Cybersecurity researchers have revealed details of a new banking malware written in Rust that targets users in Brazil. This is significantly different from other known Delphi-based malware families associated with the Latin American cybercrime ecosystem.
The malware is designed to infect Windows systems and was first discovered last month, codenamed VENON by Brazilian cybersecurity company ZenoX.
What’s notable about VENON is that its behavior is consistent with existing banking Trojans targeting this region, including Grandoreiro, Mekotio, and Coyote, especially with respect to features such as banking overlay logic, active window monitoring, and shortcut (LNK) hijacking mechanisms.
This malware is not from any previously documented group or campaign. However, an earlier version of the artifact dating back to January 2026 was found to expose the full path from the malware author’s development environment. The path repeatedly references the Windows machine’s username “byst4” (for example, “C:\Users\byst4\…”).
“Rust’s code structure exhibits patterns that suggest that developers familiar with the functionality of existing Latin American banking Trojans used generative AI to rewrite and extend these functionality in Rust. This is a language that requires significant technical experience to use at the advanced level observed,” ZenoX said.
VENON is distributed through sophisticated infection chains that use DLL sideloading to launch malicious DLLs. The campaign is suspected of using social engineering tactics such as ClickFix to trick users into downloading a ZIP archive containing the payload using a PowerShell script.
Once the DLL is executed, it performs nine evasion techniques including anti-sandbox checks, indirect system calls, ETW bypass, and AMSI bypass before actually initiating malicious actions. It also accesses the Google Cloud Storage URL to retrieve configuration, install scheduled tasks, and establish a WebSocket connection to the command and control (C2) server.
The DLL also extracts two Visual Basic Script blocks that implement a shortcut hijacking mechanism intended only for the Itaú banking application. This component works by replacing legitimate system shortcuts with modified versions that redirect victims to web pages under the attacker’s control.
The attack also supports an uninstall procedure that reverts changes, suggesting that operators may be able to remotely control operations and revert shortcuts to cover their tracks.
Overall, this banking malware is equipped to target 33 financial institutions and digital asset platforms by monitoring window titles and active browser domains, operates only when the targeted application or website is opened, and facilitates credential theft by providing a fake overlay.
The disclosure comes amid a campaign in which threat actors exploited WhatsApp’s popularity in Brazil to distribute a worm named SORVEPOTEL via the desktop web version of the messaging platform. This attack relies on exploiting pre-authenticated chats to deliver malicious decoys directly to victims, ultimately leading to the deployment of banking malware such as Maverick, Casbaneiro, and Astaroth.
“A single WhatsApp message delivered through a hijacked SORVEPOTEL session was enough to draw the victim into a multi-step chain that ultimately resulted in the Astaroth implant being fully executed in memory,” Blackpoint Cyber said.
“The combination of local automation tools, unsupervised browser drivers, and a user-writable runtime created an unusually permissive environment that allowed both the worm and the final payload to establish themselves with minimal friction.”
Source link
