Rust-Based Banking Trojan VENON Hits Brazil: Overlays & Analysis
Just caught the report on VENON, a new banking malware targeting Brazilian institutions. What stands out here isn't just the target list (33 banks), but the shift in tooling. The actors are ditching the traditional Delphi ecosystem (standard in LATAM) for Rust. This transition significantly raises the bar for static analysis and introduces better cross-platform potential for future iterations.
VENON relies on overlay attacks—rendering fake HTML forms on top of legitimate banking windows to harvest credentials. Since it targets Windows, we should be looking for unsigned binaries attempting to inject into browser processes.
If you're hunting for this, checking for unsigned processes hooking into chrome.exe or msedge.exe is a good start. Here is a PowerShell snippet to identify potential overlay processes by checking for suspicious window titles that don't match the signed parent binary path:
Get-Process | Where-Object {
$_.MainWindowTitle -match 'Banco|Itaú|Bradesco|Caixa' -and
$_.Path -ne $null -and
(Get-AuthenticodeSignature $_.Path).Status -ne 'Valid'
} | Select-Object ProcessName, MainWindowTitle, Path
For those leveraging SIEM, watching for unsigned binaries creating threads in browser processes is critical. Are you guys seeing similar latency in detection with Rust-based malware compared to the older Delphi variants?
The Rust adoption is definitely slowing down our automated analysis pipelines. The standard library bloat makes signature generation noisy. We've had better luck detecting VENON behaviorally—specifically looking for SetWindowsHookEx calls from unsigned DLLs targeting the browser message loop. Static analysis is becoming less reliable by the day.
We've blocked execution in the %APPDATA%\Roaming directory via Software Restriction Policies (SRP) to mitigate these types of droppers. Most of these Latin American trojans try to drop the payload there. It’s a low-tech fix, but it stops the vast majority of overlay-based banking malware before it even starts.
The shift to Rust complicates reversing, but the network chatter remains a weak point. We've been tracking VENON's C2 infrastructure and noticed distinct User-Agent strings often defaulting to Rust's reqwest library. This KQL rule helps catch the initial callback before the overlay loads:
DeviceNetworkEvents
| where RemotePort == 443
| where AdditionalFields has "reqwest"
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe")
Combining this with Jay's SRP approach provides decent defense-in-depth.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access