Trend Micro's MDR team conducted a rare dual-perspective investigation into Banana RAT, a banking trojan attributed to threat cluster SHADOW-WATER-063, targeting exclusively Brazilian financial institutions. The operation uses a FastAPI-based polymorphic payload generator producing 100-200 hash-unique builds per campaign, delivered via WhatsApp or phishing lures disguised as electronic invoice files. The PowerShell-based client executes entirely in memory using AES-256-CBC encrypted payloads, establishes persistence via hidden scheduled tasks, and communicates over a custom encrypted C&C protocol. Capabilities include live screen streaming, remote input control, keylogging, fake banking overlays impersonating major Brazilian banks, and a dedicated Pix QR code interception subsystem. Attribution points to a Brazilian Portuguese-speaking operator with Tetrade-adjacent tradecraft, though architectural differences (Python/FastAPI vs. Delphi) suggest an adjacent cluster or fork. The platform's MaaS-style infrastructure indicates potential affiliate reselling.
Sort: