Cybersecurity researchers have uncovered a new and sophisticated banking malware campaign targeting financial institutions in Brazil. Dubbed VENON by the Brazilian cybersecurity firm ZenoX, this threat represents a significant evolution in the regional cybercrime landscape due to its core programming language: Rust. Unlike the majority of established Latin American banking trojans, such as Grandoreiro, Mekotio, and Coyote, which are traditionally written in Delphi, VENON's Rust-based architecture suggests a shift towards more modern, secure, and performant codebases that are harder for security tools to analyze and detect. The malware, first identified in late 2024, is designed to infect Windows systems and has been observed targeting 33 specific Brazilian banks, deploying credential-stealing overlay windows to capture sensitive user data.
The technical sophistication of VENON is evident in its infection chain and operational security. The malware is distributed through a multi-stage process that heavily relies on social engineering, likely utilizing tactics like the "ClickFix" tech support scam. Victims are tricked into downloading a ZIP archive that contains a malicious PowerShell script. This script initiates a DLL side-loading attack, a technique where a legitimate, signed application is used to load a malicious Dynamic Link Library (DLL). Once executed, the malware performs a series of nine advanced evasion techniques before any malicious payload is deployed. These include anti-sandbox checks, the use of indirect system calls (to evade user-mode hooks), and bypasses for Microsoft's Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI). This layered defense evasion demonstrates a high level of technical proficiency aimed at defeating automated security analysis.
Further analysis by ZenoX reveals intriguing details about VENON's origins and development. While not yet attributed to a known threat actor, an earlier artifact from January 2024 contained hard-coded file paths pointing to a developer's machine with the username "byst4" (e.g., "C:\Users\byst4\..."). More notably, researchers posit that the developer, while familiar with the capabilities of existing Latin American banking trojans, may have utilized generative AI to assist in rewriting and expanding those functionalities into Rust. This hypothesis is based on patterns in the code structure. Rust is a memory-safe language that requires significant expertise to wield effectively for malicious purposes, suggesting the actor either possesses that skill or is leveraging AI tools to bridge the knowledge gap, representing a concerning trend in malware development.
The malware's core functionality aligns with classic banking trojan behavior but is implemented with modern efficiency. After evasion checks, VENON contacts a command-and-control (C2) server hosted on Google Cloud Storage to retrieve its configuration. It then establishes persistence on the victim's machine, often through shortcut (LNK) file hijacking. Its primary malicious function involves monitoring for active banking application windows. When a user accesses one of the 33 targeted bank portals, VENON injects a fraudulent overlay—a fake login screen—that captures the victim's credentials. This data is then exfiltrated to the attacker's server. The shift to Rust, combined with advanced evasion and a cloud-based C2, indicates that threat actors in the region are investing in more resilient and stealthy malware, posing a heightened risk to the financial sector in Brazil and potentially beyond.
