In-Memory Financial Theft: Inside Banana RAT’s Operator-Driven Attacks on Brazilian Banks
Ddos 
Banana RAT’s end-to-end kill chain | Image: TrendMicro
A sophisticated, highly focused banking trojan is actively undermining the security controls of financial institutions across South America.
A detailed forensic threat investigation published by the TrendAI Counter Threat Unit has exposed the full operational model of Banana RAT. Attributed to an established cybercriminal cluster tracked as SHADOW-WATER-063, the campaign abandons random credential phishing in favor of a specialized, operator-driven fraud execution platform.
As the TrendAI Managed Detection and Response (MDR) team details in their technical core findings:
“Banana RAT represents a deliberate, well-resourced threat campaign aimed squarely at Brazilian financial institutions and their customers. What makes this case notable is not just the sophistication of the tooling – it is the intent behind it.”
Most threat hunting engagements begin natively at the infected endpoint, forcing analysts to piece together systemic activity from fragmentary local logs. However, during a live incident response engagement, TrendAI analysts managed to breach the administrative curtain.
By intercepting live infrastructure nodes, researchers cross-referenced backend generation control panels with real-time telemetry streaming from compromised customer workstations. The report captures this rare security visibility:
“While most threat investigations start at the endpoint, this engagement gave us an uncommon view: Server-side tooling recovered directly from attacker infrastructure, cross-referenced against client-side telemetry from compromised hosts.”
The resulting analysis exposes an advanced, polymorphic creation engine. The server-side builders dynamically compile unique, custom binary builds of Banana RAT on the fly, shuffling cryptographic signatures and structural layouts to seamlessly slip past traditional endpoint detection and response (EDR) platforms.
To achieve initial execution without alerting static endpoint defenses, Banana RAT relies heavily on fileless execution models. The polymorphic installer deploys layered obfuscation routines, wrapping the primary malicious payload inside multiple tiers of Advanced Encryption Standard (AES) wrappers.
When executed, a malicious script loads the encrypted blocks straight into the host machine’s volatile RAM using customized PowerShell execution strings. Because the malware avoids writing signature-heavy text scripts to the physical hard drive, it effectively bypasses modern filesystem perimeters and persistence monitoring controls.
Once firmly embedded within system memory, Banana RAT activates a suite of intrusive, real-time monitoring tools designed strictly to enable financial theft. The framework contains no standard ransomware locking modules, destructive logic primitives, or classic corporate espionage tools; its design is singularly focused.
The malware implements an operator-driven fraud layout. When a victim authenticates into their corporate or personal banking portal, the malware establishes an encrypted command-and-control (C&C) stream, alerting a live human operator who can actively drive the hijacked banking session through remote input injection, background screen streaming, and localized keylogging.
To prevent the victim from noticing the ongoing theft, Banana RAT deploys highly deceptive user interface overrides. The malware triggers a bank-branded, synthesized “installation progress” fake window overlay that occupies the entire display. While the user watches a simulated step-by-step loading bar, the background operator manipulates account balances and transfers funds out of the account.
Furthermore, the trojan incorporates custom window-title triggers specifically targeting prominent, Brazilian-localized cryptocurrency exchanges to intercept digital wallet transactions. The most dangerous element of this module is its dedicated Pix-QR code interception subsystem, which dynamically alters instantaneous QR payment destinations in memory, siphoning active transfers directly into attacker-controlled mule accounts.
Forensic telemetry indicates that SHADOW-WATER-063 is expanding its footprint by transitioning Banana RAT into a Malware-as-a-Service (MaaS) business model. By selling access to pre-configured builders and C&C proxy channels on underground markets, the core developers are enabling loose networks of criminal affiliates to launch targeted financial fraud campaigns at scale.
To defend against this highly specific threat vector, financial institutions and enterprise networks must implement deep behavioral profiling. TrendAI advises security leaders to monitor process trees for unexpected PowerShell invocations originating from web browsers, employ memory integrity protections capable of identifying reflective DLL loading, and analyze transaction telemetry for anomalous, rapid session-state adjustments during active web banking connections.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
