RUST-BASED VENON is a banking malware targeting Brazilian users, designed to infect Windows systems and identified by Brazilian cybersecurity company ZenoX, according to ZenoX. It is reported to target 33 financial institutions and digital asset platforms, using credential-stealing overlays and banking overlay logic, with behaviours aligned to regional trojans such as Grandoreiro, Mekotio, and Coyote.
The malware, first discovered last month, is distributed via a DLL side-loading infection chain and is said to rely on social engineering ploys like ClickFix to lure victims into downloading a ZIP archive containing payloads, delivered through a PowerShell script. It performs nine evasion techniques, including anti-sandbox and AMSI bypass, and then contacts a Google Cloud Storage URL to fetch configuration, installs a scheduled task, and establishes a WebSocket connection to its C2 server.
Two Visual Basic Script blocks in the DLL implement a shortcut hijacking mechanism targeting the Itaú banking application, replacing legitimate shortcuts with tampered versions to steer users to a malicious web page, while the threat actor can also uninstall the changes to cover tracks, with paths in the artefact pointing to a byst4 user name on a Windows machine.