MnuBot RAT

The MnuBot RAT is a banking Trojan that uses various methods for giving criminals control over your PC so that they can hijack Web banking sessions for collecting money and information. Some of the risks associated with the MnuBot RAT infections include keylogging (recording your keyboard input), screen captures and non-consensual reboots. Disconnect any infected PC from the Internet before having an anti-malware product uninstall the MnuBot RAT, and contact your bank for additional assistance, as necessary.

One Trojan's Non-Traditional Choice for Communications

Even after the attacks of finance-oriented threats like the Metamorfo Banking Trojan and file-ransoming ones like the Instalador Ransomware, Brazil isn't receiving any mercy from threat actors. Evidence caught by researchers at IBM initially is confirming another Trojan campaign that's targeting Web-banking customers in that country. This Trojan, the MnuBot RAT, also includes highly invasive features for letting the threat actor have nearly indiscriminate control over an infected PC.

The MnuBot RAT is a Delphi-coded threat that runs in two parts. The first component creates a second desktop instance that it monitors for any windows related to accessing a banking website continually. When it does, it downloads an executable with the Remote Access portion of the MnuBot RAT's features. The second file, still, requires frequent communication with a Command & Control server for performing most of its attacks. Consequently, malware experts recommend disabling the Internet connection on any compromised machines immediately.

Many of the MnuBot RAT's features are traditional for banking Trojans and backdoor Trojans alike and include intercepting Web-browsing data, creating in-browser overlays for soliciting more information from a victim, keylogging, screen-grabbing, and simulating the user's input. However, the MnuBot RAT infections use the extremely unconventional choice of the Microsoft SQL databases for its C&C infrastructure, instead of a typical Web server or IRC channel. This feature could let the threat bypass some forms of security features that detect threatening activity via analyses of the PC's network communications.

Spotting a Fake Banking Request before It Does Damage

The MnuBot RAT features significant customization for both Brazilian PC users, in general, and the customers of particular banks, in specific. Its overlays include content for imitating the original site that the threat replaces with its overlays, which may ask for additional confidential data that it disguises as being a new security measure. Malware experts also are finding well-developed anti-analysis features within the MnuBot RAT's samples, which use code-obfuscating encryption and isolate many details to their Command and Control servers.

While the MnuBot RAT is a specialist for collecting and exfiltrating Web-banking information, threat actors could use its features for exerting other forms of control over your computer. The installation of other threats, the theft of non-banking or Web-browsing information, and the disabling of various security applications and features are some of the risks associated with an infection with an active network connection. Unplug your PC from the router and disable wireless connections, as appropriate, before having an anti-malware program uninstall the MnuBot RAT.

By the time a victim sees a symptom of the MnuBot RAT infection, such as an unusual banking request, everything that's on their PCs, are already at risk. Stopping an innovative banking Trojan's campaign at its source, whether it's in Brazil, Japan, or the United States, can save any PC user both money and peace of mind.