
Peeling back Banana RAT.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]
Tom Kellermann: We've been following some of the significant Brazilian cybercrime cartels for a while and SHADOW-WATER-063 is one of them. As a result, we recognize this as a very elegant payload which had the capacity to bypass bank security mechanisms as well as payment system mechanisms.
Dave Bittner: That's Tom Kellermann, VP of AI Security and Threat Research at Trend Micro. The research we're discussing today is titled, "Inside SHADOW-WATER-063's Banana RAT: From Build Server to Banking Fraud." [ Music ] Now, one of the things that caught my eye in this research, you know, most incident responders will see one side of an attack. In this case, you all recovered both the attacker infrastructure and the victim side of the malware. Is that -- is it unusual to have that breadth of view into something like this?
Tom Kellermann: Not any longer. In the last few years, we've invested heavily in our MDR and IR practice, which is global in nature as well, and so that complements our threat research community within Trend AI where we can cover both sides of the spectrum. That's one reason why we are partners with Interpol through the Fusion Center in Singapore.
Dave Bittner: Gotcha. Well, before we dig into some of the technical elements here, describe for us what exactly Banana RAT is and what they're up to.
Tom Kellermann: Well, what I found fascinating about SHADOW-WATER's payload here is that, you know, essentially, they targeted 16 Brazilian financial institutions and crypto exchanges with this. The lure came through WhatsApp. It would download a malicious batch file. It was polymorphic in nature, staged in delivery and in memory, and they had encrypted command and control. The malware used layer obfuscation techniques like AES wrapped payloads and fileless PowerShell, and it bypassed most EDR and MDR capabilities of some of the banks that weren't using our technologies. Most importantly, though, I'd say this: The RAT allowed for full remote fraud and surveillance of the victim, so real-time screen streaming, bank-aware overlay injection, QR Pix transaction manipulation, continuous logging to enable interactive credential theft, as well as proximity settings to pick up ambient noise. From the financial sector perspective, it underscores what I learned years ago when I was at the World Bank, which is the Brazilian cybercrime cartels are highly sophisticated because of a historical reason, which I find interesting, and I think it might be important for your audience to hear this. Brazil and Argentina went through hyperinflation back in the '80s and '90s. As a result, they moved to the American dollar, and the World Bank and IMF then began connecting those banks in Brazil like Bradesco and Itaú to the internet first. They were first movers in electronic finance, and as a result, Brazilian organized crime got into hacking because money was digital far earlier than many of the other Latin American countries' organized crime populations.
Dave Bittner: That's a really interesting insight. I was not aware of that detail. Let's dig into the attack itself. How does a victim first encounter this malware and what happens?
Tom Kellermann: So essentially, they would receive a phishing URL via WhatsApp or through traditional email. Immediately, the malware would operationalize through a payload generation and staged delivery in memory. What they would see would basically be a brand of the bank that they're using on their screen that said there was a security update that was needed in order to assure that their device and their banking transactions would be secure. Once they, essentially, clicked on that, they had full and complete control.
Dave Bittner: Can you describe for us what is the breadth of the control that they have here? What were the capabilities?
Tom Kellermann: Like I was describing, they have a banking-aware overlay injection. They can real-time screen stream everything that's being shown and visualized by the operator. They had QR and Pix transaction manipulation capabilities and advanced keylogging. I would say that of all the major cybercrime cartels hunting the financial sector, this is one of the better ones. Definitely in the top five, I'd say, in the world, is this SHADOW-WATER-063 group. The best ones, though, are definitely Russians, and we really should underscore that the majority of successful attacks against financial institutions are leveraged by a cadre of Russian cybercrime cartels like Void Rabisu, Laundry Bear, Evil Corp., and Void Balaur.
Dave Bittner: Well, let's talk about the server-side tooling here. What did you all discover about the attacker's infrastructure?
Tom Kellermann: Well, I thought it was interesting that their malicious C&C infrastructure is still active and publicly accessible over, you know, Port 80, exposing a number of endpoints used for payload staging. It was very much symbolic of the fact that this is a Brazilian cartel in nature. I would say that, once again, I've never seen such a sophisticated attack leveraged by these groups before because of the way that they obfuscated through memory injection. As well, they used different forms of encryption to essentially overlay and ensure that they had obfuscation payloads that were wrapped.
Dave Bittner: You describe a polymorphic build system. Can you describe for our listeners what that means?
Tom Kellermann: Yeah, the stages of attack were built literally from reconnaissance to delivery to lateral movement, not just in the obfuscation stages of lateral movement, but also in terms of bypassing traditional EDR technologies. We were very impressed, but I am concerned now because of the scourge of banking fraud that's occurring across South America and how that's increasing in nature, where you're seeing connective tissue between Brazilian cybercrime cartels and Russian cybercrime cartels. There's more and more collaboration and cooperation going on than I've ever seen before between these groups, which we didn't include in this report. We will be covering some of that in a Modern-Day Bank Heist Report that we'll be putting out later on this summer.
Dave Bittner: I guess, I mean, obviously, generating a unique payload for every victim really complicates detection efforts.
Tom Kellermann: It definitely does, and they've learned from the defensive countermeasures put in place by the financial institutions. I also thought it was intriguing that they were using WhatsApp as a delivery mechanism. I would say, in the long run, what can be done best here is that we really need to advance the nature of continuous threat hunting within banking infrastructure and that the large-scale payment systems of the world, especially in Brazil, need to pay much closer attention to how they're defending themselves from within. With AI and then the utility of AI by adversaries in today's world, it just allows them to automate and orchestrate campaigns in real time in a continuous fashion, as you well know. Everyone should just, kind of, view AI as a dormant command and control. If you're not securing your AI infrastructure, you should just assume that it's going to be compromised and used against you at some point.
Dave Bittner: Now, you described the analytics dashboard that the attackers were using here. What did that reveal about how these operators were managing their campaigns?
Tom Kellermann: Well, in a very distributed fashion, frankly, and what became most concerning to me was the nature in which that they continued to conduct secondary infections, which is going to be coming out in a secondary report. It really reminded me of the mechanisms and tactics used by Laundry Bear, if you're familiar, or Evil Corp back in the day.
Dave Bittner: Well, so I think a lot of folks think of malware as being automated. How much was this campaign automated or how much was driven by a remote human operator in real time?
Tom Kellermann: I think it was a blend of both, but what's concerning to me now is you're seeing that jailbreaking of LLMs to abuse them and misuse them is becoming more pernicious, and one thing that we're going to be revealing studies on soon is the fact that steganography is making a comeback in some of these communities. You're well aware of what steganography is, but the invisible prompt injections that can allow for steganography to be leveraged through, essentially, photos or video files are becoming more and more pernicious. It really doesn't allow for that secondary C2 to be on a sleep cycle. I think going forward, as a community, we need to start paying attention to two things: One of which is AI should always be considered, essentially, a C2 unless you're actively securing it. Then most importantly, that steganography and secondary forms of command and control that are on sleep cycles are the future, much like we saw in the past from an espionage level of attacks. Whether it was APT29, or Turla, who pioneered the use of steganography decades ago, I think that's becoming mainstream. I'd love to hear more from you. Have you actually interviewed anyone recently to discuss stego or the use of stego or how AI-enabled stego is becoming problematic? I would love to hear from them and their research as well.
Dave Bittner: Yeah, you know, I haven't spoken to anyone specifically, recently, about steganography, really, since we leapt into this new AI world. What I was thinking of as you were describing it was, actually, there was a story earlier this week about some folks who were hiding their command and control in ASCII art of all things.
Tom Kellermann: That's brilliant.
Dave Bittner: Yeah, right?
Tom Kellermann: If I may, that's sexy. That's what I'm talking about.
Dave Bittner: Yeah, it's kind of retro, right?
Tom Kellermann: It's retro, but it works. No, it's definitely quite interesting, and, you know, the banks, in general, are also being challenged by the fact that, you know, authorization and two-factor authentication are being bypassed by deepfake technology. In the upcoming Modern Day Bank Heist Study that we're going to be releasing in August, we're really looking at trends of deeper forms of e-fraud, fraud that hasn't really been appreciated before. As you and I both know, the most valuable information in a financial institution isn't necessarily the wire transfer fraud. It's the non-public market information, so we're trying to get our heads around whether or not you're seeing a trend of digital front-running. You know, attacks that are meant to steal material non-public market information or even manipulate that information. One thing that was discovered years ago that a number of us in the financial sector noticed, which I think is going to become more pronounced this year, is the construct of shoxing. "Shoxing" is when you literally -- you hack a financial institution. You maintain persistence in those systems. You basically then short their stock, and then you dox their non-public market material information to the regulators about a week later and then to the press. [ Music ]
Dave Bittner: We'll be right back. [ Music ]
Tom Kellermann: So you're shorting and doxing. I think different forms of market manipulation, because of these advanced forms of persistence, as illustrated by Banana RAT and others, this type of RAT could be used for a multitude of things that go far beyond just wire transfer fraud. That's what's concerning here. I think the lesson learned here is that: a) Please don't underestimate the cybercrime cartels of Latin America, particularly the Brazilian ones. And b) what else can be done with that level of persistence from a financial fraud perspective, a market manipulation perspective, or even an "island hopping" -- as I would call it -- perspective where the institution itself, the infrastructure, is now being used to attack their customers and constituency? That has already been realized in Brazil previously, where one of their major payment systems was compromised by a group that I'm not going to name here on this interview. That payment system was then, in turn, used to attack customers' and institutions throughout Brazil. That's how significant this type of community is. When you start thinking about the access brokerage market, right, the access miners of the world, sharing, selling, and manipulating that access to people who do understand the financial sector and the interdependencies therein, that becomes quite interesting as well. I hope to be able to speak to you when my report comes out, but we're doing a deep dive of both interviews with 50 CISOs in the financial sector, but also, our own Threat Research to understand exactly what's going on. Our Threat Research is going to focus on what we consider to be the top-tier cybercrime cartels, but also, more importantly, much like we're discussing today, the forms of persistence that have evolved because of AI, much like, you know, Banana RAT and stego, as we discussed.
Dave Bittner: Well, Tom, just so I'm clear here, where do you place Brazil in terms of being on the leading edge of these sorts of threats? In other words, you mentioned how Brazil, by necessity, due to their inflation situation, was ahead of the game than most of the world. Is that true today, or are they a canary in the coal mine, if you will?
Tom Kellermann: Great question. I forgot one part of that story that I should have shared. When the country moved to the dollar and also migrated to electronic finance first in Latin America because of the World Bank and IMF, they also gave out laptops to all the children in schools, laptops they couldn't take home, but laptops they could use at schools. So they're dealing with hyperinflation, right? They've got e-finance. All these kids are learning computer science in schools much quicker than their neighboring countries. So you've basically created a population that has skills but didn't have any gainful opportunities and legitimate jobs to go to. That's when the burgeoning cybercrime economy of Brazil began, back in the early 2000s. I would put this group, specifically this group, as, like, the number six, I would say, of a cybercrime cartel that is specifically targeting the financial sector. Again, I just want to be specific for the financial sector. The other top players are Void Rabisu, Laundry Bear, Void Balaur, and Evil Corp, all of which who are Russian. They've always been the best, but don't count the Brazilians out. We're doing a lot of research there since we're the largest security vendor in Latin America, and we're really trying to tie that knot, to really look at the entire cognitive attack loop, as I'll call it, from MDR, through IR, through threat intelligence, to see both ends of the attack. That's why I'm privileged to be able to speak to you today, but I would demand more from all of us in the community to start looking for that C2 on a sleep cycle and remember that these types of RATs, they could just be a hearkening of what's to come.
Dave Bittner: The report spends a good amount of time discussing Pix QR code interception. I think that might be a new term for folks outside of Brazil. Can you explain to us what Pix is and why it was an important element here?
Tom Kellermann: Pix, for them, it's a way of conducting transactions through their wire transfer payment systems. It's important if you attempt to actually infiltrate their wire transfer systems in Brazil. I think much more needs to be done by SWIFT and other entities that govern the security standards of wire transfer systems around the world in improving their level of security and understanding these types of threat dynamics. I am hoping that at the FS-ISAC conference that's coming up in October, is it, in Austin, that much more attention is being paid to some of these nuanced issues. I would just -- again, this highlights the knowledge that this group, that this crew, that this cybercrime cartel, SHADOW-WATER-063, already has of the interdependencies in the financial sector. You can't assume your adversaries don't really understand your business. You have to presume that security through obscurity is over, and I think AI enhances the level of reconnaissance and capabilities of even miscreants that are ignorant to the industry. They can easily, easily get spun up on any form of business and any form of transaction patterns.
Dave Bittner: Well, let's talk about SHADOW-WATER-063. What was the evidence that led you to associate that operation with Brazilian Portuguese-speaking operators?
Tom Kellermann: The social engineering scripts were a near-verbatim match for the real language used by different campaigns that we've seen leveraged by these groups; the command and control infrastructure itself; the knowledge that they had of the Brazilian financial sector; the specific campaign domain that they use, "Convite Mundial 2026," and just some of the TTPs, as illustrated, that they had used before. I mean, there are only a handful of groups in Brazil that are operating at this level. I would say, in Latin America, the other significant cybercrime crews are more than likely based in Colombia and Mexico. Sometimes it's hard to tell because of the Spanish-speaking community, but I think it's easier with the Portuguese community to understand where they're coming from.
Dave Bittner: Yeah, well, I mean, I think at the end of the day, ultimately, the folks out there who are doing the blocking and tackling want to know how do I defend against this? You know, that's most important for them to do their job. Then I think secondary to that, or perhaps lateral to that, is the inner workings of it, so that they can better understand it and then apply that knowledge more broadly as perspective, as insight, into the greater ecosystem of what's going on and try to inform their larger, broader defense. Does that make sense?
Tom Kellermann: Yeah, I'd say, like, from a larger, broader defense, I'd say based on all of the different myriad of actors that we've been studying here at Trend AI, there's really five things that are necessary in 2026. They're quintessentially important. One is, I'd say, you've got baseline detections for AI tells like emoji and binary strings or foreign slang and English content.
Dave Bittner: Em dashes.
Tom Kellermann: You really need to embrace virtual patching now because there's no way you're going to be able to wait for all the patches to come out, given the velocity and the surge of zero days out there. I think attack path mapping needs to be conducted regularly internally, but also, when you view your attack paths, you should be looking at your attack paths in a bidirectional flow, right? If an adversary had a footprint or a hold within your system, how could they leverage your infrastructure to attack your constituency? That is the worst-case scenario, and most of these cybercrime cartels, that's exactly what their goal is. It's one thing to break into your house, but if I can break into your house and then hit all your neighbor's houses like that show -- what's it called, Friends and Neighbors -- it'll work perfectly. That's joking but not joking. So yeah, you've got to threat hunt continuously. Can you use AI to enhance threat hunting for a myriad of behavioral anomalies in the infrastructure? I mean, just assume compromise. Then lastly, like, kind of treat all AI agents as a C2 channel until you've learned how to create a governance structure that's adequate, until you can put some guard rails on it. I would say those are my top five takeaways for the landscape that we're in now. You know, in the end, we have an entire site, trendaisecurity.com. We have an entire section on our site with updated intelligence reports, with the telemetry of the latest attacks and best practices to defend, even if you're not a customer of ours. You can essentially go view, download or however you want to scrape it, on a daily basis. I literally -- I think we have at least 15 to 18 different studies coming out on a weekly basis on different threat actor groups and unique new campaigns aside from, you know, the thousands of payloads and vulnerabilities that are released every day. Consider us, you know, a good Samaritan here and we're trying to give back, so that's why I'm grateful to speak to you.
Dave Bittner: Yeah, for sure. Well, looking specifically at this campaign, what's your advice to defenders to disrupt an operation like this?
Tom Kellermann: Wow. You know, I mean, at this point, the telemetry is already out there and, you know, the IOC associated with this RAT. Update your capabilities to defend against this group. Presume WhatsApp communications are compromised. I would really recommend people move off of WhatsApp. In general, be able to filter in a better fashion. Conduct more threat hunting if you presume you might've been compromised. If you're operating in Brazil as a major corporation or have a subsidiary there, expect groups like this to target you with this type of unique payload and/or RAT infrastructure. Do a much better job in your business as it relates to a reverse business email compromise, but not business compromise, not a traditional BEC, but our BEC, where you actually might be compromised from within the account of the person who has the authority to transfer funds within your organization CFO or deputy CFO or whomever. That person's account is already compromised. You should have secondary forms of out-of-band verification for that. When it comes to stego, and I think where stego is going, because I do think even though it's not being used in this attack, it is a harbinger of how stego is going to be used quickly and in new forms of RATs, invisible prompt injections. Do you have the capacity to, you know, essentially prevent prompt injection at the network level, and can you ascertain whether or not that's occurred? From a two-factor authentication perspective, and then just an authorization perspective, do you have the capacity to have deepfake identification via computer vision algorithms? That's where this is also going next, as we see it in today's world. Do you have query generation assistance for your XDR or whatever platform or SIEM that you're using to help your security analysts move faster, react faster? It really bothers me as a former threat hunter and security analyst with the World Bank back in the day, when it happens, especially with the world of AI where it's faster and more powerful, do you really have the time to figure out what prompt you should be using to understand the TTPs and IOCs in real time? Wouldn't it be great if you had AI assisting you in conducting the investigation of that threat? Then I would really stress this, and however it sounds, it sounds: Make sure that whoever you're doing business with truly has global threat intelligence. You can't live on an island out here. You know, the world is global. The greatest threat actors in cyber are overseas. They are hunting entire industries. They specialize in specific industries, and threats to one industry can spread through that industry in a systemic fashion, as we will depict and describe in the Modern Bank Heist Report. [ Music ]
Dave Bittner: Our thanks to Tom Kellermann from Trend Micro for joining us. The research is titled, "Inside SHADOW-WATER-063's Banana RAT: From Build Server to Banking Fraud." We'll have a link in the show notes. That's research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cyber security. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Tré Hester. Our Executive Producer is Jennifer Eiben. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]
