The Evolution of Latin American Banking Trojans: Introducing VENON

The cybercrime ecosystem in Latin America has long been characterized by a specific modus operandi: families of Delphi-based banking trojans, such as Grandoreiro and Javali, distributed primarily through massive phishing campaigns. However, the landscape is shifting. Security researchers have recently identified a new threat actor breaking this mold. Codenamed VENON, this malware represents a significant technical evolution by leveraging the Rust programming language to target 33 Brazilian banks.

Why Rust Matters in Malware Development

While VENON employs the traditional tactic of credential-stealing overlays, its underlying architecture is what sets it apart. Historically, Latin American cybercriminals favored Delphi for its rapid development cycle and ease of creating Windows forms. The shift to Rust signals a maturation of the threat landscape.

Rust offers cybercriminals several advantages:

1. Cross-Platform Capabilities: While VENON currently targets Windows, the Rust codebase makes porting to Linux or macOS significantly easier, potentially expanding the target base in the future.
2. Memory Safety and Obfuscation: Rust’s memory safety features reduce the likelihood of crashes, making the malware more stable. Furthermore, Rust binaries are notoriously difficult to analyze and reverse engineer compared to Delphi or C++, complicating the work of threat hunters.
3. AV Evasion: The smaller footprint and unique compilation artifacts of Rust binaries often evade signature-based antivirus engines that are tuned to detect older Delphi-based threats.

Analysis of VENON's TTPs

VENON is a classic banking trojan in behavior but modern in implementation. Its primary attack vector involves social engineering—likely delivered via malicious email attachments or links masquerading as legitimate financial documents or payment slips (boletos).

Once executed on a Windows system, VENON establishes persistence and begins monitoring user activity. Its core capability is the overlay attack. When the malware detects that the victim has navigated to a targeted banking portal, it launches a deceptive HTML layer over the legitimate browser window. This layer is indistinguishable from the real login page, tricking the user into entering credentials and 2FA codes, which are immediately exfiltrated to the attacker's command-and-control (C2) server.

The malware targets 33 distinct financial institutions, indicating a focused geographic campaign centered on Brazil’s lucrative banking sector.

Detection and Threat Hunting

Detecting Rust-based malware requires a shift from traditional signature reliance to behavioral analysis and heuristic hunting. Below are queries and scripts designed to identify suspicious activity associated with VENON and similar Rust-based threats.

Hunting for Rust Binaries via KQL

Rust binaries often contain specific section names (like .rustc) or lack standard metadata. This query for Microsoft Sentinel hunts for unsigned executables with characteristics common to compiled Rust code running from suspicious paths.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("explorer.exe", "winword.exe", "excel.exe", "outlook.exe")
| where FileName endswith ".exe"
// Filter for unsigned binaries
| where IsSigned == false
| extend FilePath = FolderPath + FileName
// Hunt in user directories where malware often drops
| where FilePath contains @"\AppData\" or FilePath contains @"\Downloads\"
// Project common characteristics of Rust binaries (simplified heuristic)
| project Timestamp, DeviceName, AccountName, FileName, FilePath, ProcessCommandLine, SHA256
| order by Timestamp desc

PowerShell: Checking for Suspicious Persistence

Banking trojans like VENON often create scheduled tasks or registry run keys for persistence. This script searches for recently created tasks running unsigned binaries from user directories.

# Get scheduled tasks that run executables from user profile directories
$suspiciousTasks = Get-ScheduledTask | Where-Object { 
    $_.State -eq 'Ready' -and 
    $_.Actions.Execute -like '*.exe' -and 
    ($_.Actions.Execute -match 'AppData|Downloads|Temp')
}

foreach ($task in $suspiciousTasks) {
    $taskPath = $task.Actions.Execute
    if (-not (Get-AuthenticodeSignature -FilePath $taskPath).SignerCertificate) {
        Write-Host "[!] Suspicious Unsigned Task Found: $($task.TaskName)" -ForegroundColor Red
        Write-Host "    Path: $taskPath"
    }
}

Python: Entropy Check for Packed/Rust Binaries

Rust binaries compiled with release optimizations often have high entropy. This utility script helps analysts scan a directory for high-entropy executables that might be packed or obfuscated.

import os
import math
from collections import Counter

def calculate_entropy(data):
    if not data:
        return 0
    counts = Counter(data)
    entropy = 0
    for count in counts.values():
        p = count / len(data)
        entropy -= p * math.log2(p)
    return entropy

def scan_directory(directory):
    print(f"Scanning directory: {directory}")
    for root, dirs, files in os.walk(directory):
        for file in files:
            if file.endswith(".exe"):
                file_path = os.path.join(root, file)
                try:
                    with open(file_path, "rb") as f:
                        data = f.read(1024) # Read first 1KB for header check
                        entropy = calculate_entropy(data)
                        # Heuristic: High entropy suggests packing or Rust optimization
                        if entropy > 7.0: 
                            print(f"[HIGH ENTROPY] {file_path} - Entropy: {entropy:.2f}")
                except Exception as e:
                    pass

# Usage: scan_directory(r"C:\Users\User\Downloads")

Mitigation Strategies

Defending against sophisticated banking trojans like VENON requires a layered defense approach:

1. Application Allowlisting: Implement strict allowlisting policies (e.g., AppLocker) to prevent unsigned executables from running in user-writable directories like AppData or Downloads.
2. Advanced EDR Configuration: Ensure Endpoint Detection and Response (EDR) tools are tuned to detect process injection and screen scraping behaviors, which are prerequisites for overlay attacks.
3. User Education: Train users to recognize subtle UI irregularities. While overlays are convincing, they often have slight rendering imperfections, and the browser URL may behave unexpectedly (e.g., not updating when navigating).
4. Network Segmentation: Restrict the ability of workstations to communicate directly with external IPs on non-standard ports, limiting the malware's ability to exfiltrate data.

Conclusion

The emergence of VENON highlights a concerning trend: the adoption of modern programming languages by established cybercrime cartels. The move from Delphi to Rust suggests that LATAM threat actors are investing in long-term evasion techniques. Security teams must update their threat models and hunting playbooks to account for these technically advanced adversaries.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub