Listen to this Post
Introduction:
The Janela Remote Access Trojan (RAT) has re-emerged in a sophisticated new campaign leveraging deceptive MSI installers and malicious browser extensions to exfiltrate sensitive data from compromised systems. This hybrid attack vector combines social engineering (fake software updates) with persistent browser-level hooks, enabling attackers to bypass traditional endpoint detection and maintain stealthy access to credentials, cookies, and financial data. Security analysts have observed a surge in distribution via malvertising and compromised legitimate download portals.
Learning Objectives:
- Detect and analyze malicious MSI installers masquerading as legitimate software updates using forensic tools and signature analysis.
- Identify malicious browser extensions by inspecting manifest files, network behavior, and permission abuse.
- Implement mitigation strategies including Windows/Linux command-line defense, group policies, and browser hardening.
You Should Know:
- Analyzing Fake MSI Installers – Step-by-Step Forensic Guide
Malicious MSI files often contain obfuscated PowerShell scripts, scheduled tasks, or binary payloads that drop Janela RAT. Below are verified commands for static and dynamic analysis.
Linux (using `msitools` and `binwalk`):
Install MSI analysis tools sudo apt install msitools binwalk foremost Extract MSI contents without executing msiextract suspicious_installer.msi -C ./msi_extracted/ Recursively scan for embedded executables or scripts binwalk -e suspicious_installer.msi Search for PowerShell commands inside MSI tables msiinfo -x suspicious_installer.msi | grep -i "powershell|invoke|download" Check for digital signature validity sigcheck -a suspicious_installer.msi Windows tool, but use osslsigncode on Linux osslsigncode verify suspicious_installer.msi
Windows (PowerShell as Admin):
Extract MSI using lessmsi (install via chocolatey)
choco install lessmsi
lessmsi x suspicious_installer.msi C:\ExtractedMSI
Check MSI properties and custom actions
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "suspicious"} Avoid; triggers install
Safer: Use Orca.exe or SuperOrca to view tables
Download SuperOrca from Microsoft SDK, then:
SuperOrca.exe suspicious_installer.msi
Find encoded commands in MSI binary streams
Get-ChildItem -Recurse C:\ExtractedMSI | Select-String -Pattern "powershell -E|cmd /c|regsvr32"
Mitigation:
- Block unsigned MSI installers via AppLocker or Software Restriction Policies.
- Enable Windows Defender ASR rule: “Block executable files from running unless they meet prevalence, age, or trusted list criteria”.
- Detecting Malicious Browser Extensions – Chrome & Edge Hardening
Janela RAT uses extensions that request tabs, cookies, webRequest, storage, and `
Step-by-step detection and removal:
Linux (check Chromium-based extensions):
List all installed extensions with IDs ls ~/.config/google-chrome/Default/Extensions/ Inspect each extension's manifest.json for ext in ~/.config/google-chrome/Default/Extensions///manifest.json; do echo "=== $ext ===" jq -r '.name, .version, .permissions[]?' "$ext" 2>/dev/null done Check for externally controlled update URLs grep -r "update_url" ~/.config/google-chrome/Default/Extensions/
Windows (PowerShell):
Enumerate all Chrome extensions
Get-ChildItem "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions\" -Directory | ForEach-Object {
$manifest = "$($<em>.FullName)\manifest.json" | Resolve-Path | Select-Object -First 1
if (Test-Path $manifest) {
$json = Get-Content $manifest -Raw | ConvertFrom-Json
[bash]@{
ExtensionID = $</em>.Name
Name = $json.name
Permissions = $json.permissions -join ", "
UpdateURL = $json.update_url
}
}
}
Block extensions via Group Policy (Chrome ADMX templates)
Set policy: "Configure extension installation blocklist" with value "" to block all, then allowlist known safe.
Browser hardening (cross-platform):
- Force extension install whitelist via enterprise policy: `ExtensionInstallBlocklist` and
ExtensionInstallAllowlist. - Disable developer mode extensions to prevent side-loading.
- Use `chrome://extensions/?id=
` to view detailed permissions.
3. Network Forensics for Janela RAT C2 Communication
Janela RAT typically uses HTTPS with custom headers, WebSocket, or DNS tunneling. Below are commands to capture and analyze traffic.
Linux (tcpdump + Zeek/Suricata):
Capture traffic to/from suspicious process (first find PID)
sudo tcpdump -i eth0 -s 0 -w janela_capture.pcap
Extract DNS queries that may indicate DGA (domain generation algorithm)
tshark -r janela_capture.pcap -Y "dns.qry.name matches \"[a-z0-9]{5,}.xyz|.club\"" -T fields -e dns.qry.name
Detect Beaconing patterns using RITA (https://github.com/activecm/rita)
rita import --config /etc/rita/config.yaml janela_capture.pcap janela_analysis
rita show-beacons janela_analysis
Suricata rule to detect Janela known indicators (example)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Janela RAT C2 Check-in"; http.user_agent; content:"Mozilla/5.0 (Windows NT"; http.uri; content:"/update/check"; pcre:"/.php\?id=[A-F0-9]{32}/i"; sid:1000001; rev:1;)
Windows (using Sysmon + Wireshark):
Install Sysmon with config to log network connections
sysmon64 -accepteula -i sysmonconfig.xml Use SwiftOnSecurity's config
Query event logs for connections from non-browser processes to suspicious IPs
Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-Sysmon/Operational"; ID=3} | Where-Object {
$_.Message -match "Image:.\temp\|DestinationIp: 185.\d+.\d+.\d+"
}
Extract PowerShell-based C2 callbacks from event logs
Get-WinEvent -FilterHashtable @{LogName="Windows PowerShell"} | Select-String "Invoke-WebRequest|Net.WebClient"
- Cloud Hardening Against Credential Theft via Browser Extensions
Malicious extensions steal AWS, Azure, and GCP console cookies. Implement these controls:
AWS (GuardDuty + SCPs):
Enable GuardDuty to detect unusual API calls from new geolocations
aws guardduty create-detector --enable --finding-publishing-frequency FIFTEEN_MINUTES
Create SCP to block console access from non-corporate IPs (example policy)
aws organizations create-policy --name "RestrictConsole" --content '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "sts:AssumeRole",
"Resource": "",
"Condition": {"NotIpAddress": {"aws:SourceIp": ["192.168.0.0/16"]}}
}]
}'
Rotate all IAM keys after suspected compromise
aws iam list-users --query 'Users[].UserName' --output text | xargs -n1 aws iam create-access-key --user-name
Azure (Conditional Access + MFA):
Force token protection and session binding to device
New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxTokenLifeTime":"0.10:00:00"}}') -DisplayName "ShortLivedTokens"
Block legacy authentication (often used by stolen tokens)
$CaPolicy = New-AzureADMSConditionalAccessPolicy -DisplayName "Block Legacy Auth" -State "enabled" -GrantControls @{BuiltInControl="block"} -Conditions @{ClientAppTypes=@("exchangeActiveSync","other")}
- Vulnerability Exploitation & Mitigation – Janela RAT Persistence
Janela maintains persistence via scheduled tasks, WMI event subscriptions, and registry run keys.
Linux (if cross-compiled or using Wine):
Check for malicious crontab entries crontab -l -u $USER | grep -v "^" sudo cat /etc/crontab /etc/cron./ Audit systemd timers systemctl list-timers --all --no-pager
Windows (persistence removal):
Enumerate scheduled tasks created within last 7 days
Get-ScheduledTask | Where-Object {$<em>.Date -gt (Get-Date).AddDays(-7)} | ForEach-Object {
schtasks /query /tn $</em>.TaskName /xml | Select-String "Exec|Command"
}
Remove WMI event consumer persistence
Get-WmiObject -Namespace root\subscription -Class __EventFilter | Remove-WmiObject
Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer | Remove-WmiObject
List all startup registry entries
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Mitigation commands (disable WMI script consumers):
Restrict WMI script execution to only Administrators wmic /namespace:\root\subscription path __FilterToConsumerBinding delete Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Wbem" -Name "Scripting" -Value 0
- API Security – Preventing Token Exfiltration by Malicious Extensions
Janela RAT’s browser extension can read `Authorization` headers. Implement API gateway policies to detect anomalies.
Example Nginx API gateway rate-limiting + JWT fingerprinting:
Limit requests per user-agent + IP combination
limit_req_zone $http_user_agent$binary_remote_addr zone=api_zone:10m rate=10r/s;
Add custom header with browser fingerprint (generated on client side)
location /api/ {
limit_req zone=api_zone burst=20 nodelay;
proxy_set_header X-Browser-Fingerprint $http_x_fingerprint;
proxy_pass https://backend;
}
API validation script (Python + Flask middleware):
import hashlib, hmac
from flask import request, abort
def validate_token_binding():
auth_header = request.headers.get('Authorization')
user_agent = request.headers.get('User-Agent')
Check if token is bound to original UA (store during login)
stored_hmac = redis.get(f"token:{auth_header}")
computed = hmac.new(b'secret', user_agent.encode(), hashlib.sha256).hexdigest()
if not hmac.compare_digest(computed, stored_hmac):
abort(401, "Token binding mismatch - possible extension exfiltration")
- Training Course Module – Building a Janela RAT Detection Lab
Create an isolated environment to safely analyze the malware:
Using Vagrant + VirtualBox:
Vagrantfile for Windows 10 VM
Vagrant.configure("2") do |config|
config.vm.box = "gusztavvargadr/windows-10"
config.vm.network "private_network", type: "dhcp"
config.vm.provision "shell", inline: <<-SHELL
Set-MpPreference -DisableRealtimeMonitoring $true
Set-ExecutionPolicy Unrestricted -Force
Install FlareVM tools for analysis
choco install -y flare-vm
SHELL
end
Network isolation (Linux host):
Create isolated NAT network with no outbound except to C2 sinkhole sudo ip link add name iso_br0 type bridge sudo ip addr add 10.0.99.1/24 dev iso_br0 sudo iptables -A FORWARD -i iso_br0 -j DROP block internet sudo iptables -A FORWARD -i iso_br0 -d 185.130.5.253 -j ACCEPT allow fake C2 sinkhole
What Undercode Say:
- Fake MSI installers are now the 1 delivery vector for RATs – always verify digital signatures and use `msiexec /quiet /lv log.txt` to audit installation actions.
- Browser extensions pose a blind spot for most EDR solutions – implement extension allowlisting via GPO and regularly audit permissions, especially `cookies` and `tabs` access.
- Token binding and short-lived sessions are non-negotiable – even if a malicious extension steals an OAuth token, binding it to the original user agent prevents replay.
The Janela RAT campaign exemplifies how attackers blend social engineering (fake MSI installers) with browser-level persistence to evade traditional antivirus. Defenders must adopt a multi-layered approach: block unsigned MSI execution, enforce extension whitelists, and deploy network beacon detection. The use of WMI event consumers as persistence (common in Janela variants) requires endpoint hardening scripts that monitor WMI namespace changes. As remote access trojans evolve to abuse legitimate Windows features, organizations should prioritize threat hunting for anomalous scheduled tasks and browser storage modifications.
Prediction:
Within the next 12 months, we will see Janela RAT and similar threats adopt AI-generated browser extensions that dynamically alter their permissions and code based on the victim’s browsing context, making static detection obsolete. Attackers will also leverage WebAssembly to hide C2 traffic inside WebSocket connections masquerading as legitimate gaming or streaming protocols. Defenders will shift toward behavioral analysis using browser-native security APIs (Chrome Extension Manifest V3) and forced enterprise-wide token binding across all SaaS platforms. The MSI installer vector will be countered by Microsoft introducing “Smart MSI” with cloud-based reputation scoring, similar to SmartScreen for executables.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Tushar Subhra – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
