VENON: the first Brazilian banking malware written in Rust that fuses IA, evasion and theft of direct access

Security researchers have located a new banking malware family for users in Brazil that, for the first time in this ecosystem, is written in Rust. The Brazilian firm ZenoX was in charge of analysing the sample and giving it the key name VENON; its report highlights that, although the language is different, the behavior of the code remits bank stumps already known in the region, such as Grandoreiro, Mekotio or Coyote, by incorporating logic of window overlap, active application monitoring and a technique for hijacking direct access to the system.

What makes VENON particularly striking is not only the use of Rust - a modern language that is not common in this type of threat - but also the combination of advanced development practices and signs of reuse or rewriting assisted by artificial intelligence tools. ZenoX points to patterns in the structure of the code that suggest that the author is well aware of the capabilities of Latin American banks and that he would have used automatic generation of code to adapt and expand those features in Rust. The full analysis is available in ZenoX's technical report: https: / / zenox.ai / en / venon-the-first-brazilian-banker-rat-in-rust /.

The discovered binary also includes traces of the development machine itself: early versions expose complete routes on Windows that make repeated reference to the user "byst4" (for example, "C:\\ Users\\ byst4\\..."), a forensic detail that can help analysts understand the origin and evolution of the malicious project.

The infection chain described by researchers is complex and combines social engineering with persistence techniques. It seems that attackers distribute a ZIP with a PowerShell script through decoys as false "fix" message services (ClickFix) and exploit DLL side-loading to load a malicious bookstore into the system. Before performing harmful actions, the component performs multiple avoidance measures - anti-sandbox controls, system indirect calls, and methods to avoid ETW and AMSI - to make it difficult to detect during dynamic analysis. To understand why these defenses are relevant you can review Windows technical documentation on these mechanisms: AMSI, ETW and search and load of DLL in Windows: Dynamic Link Library Search Order.

Once activated, VENON contacts resources hosted in Google Cloud Storage to download a configuration, install a scheduled task and establish a WebSocket connection to your command and control server, allowing you to receive orders and update your behavior in real time. The choice of cloud infrastructure to store configurations and binaries is not new, but it makes it easier for attackers to maintain control and flexibility without deploying their own servers visible to the naked eye; the Google Cloud documentary platform provides information about these services: Google Cloud Storage.

From the DLL analysis also emerged two fragments in Visual Basic Script that implement a very specific mechanism: replacing legitimate direct access to the Itau bank application with manipulated versions that redirect the user to pages controlled by the attacker. This method, which acts at the desktop level to intercept the usual route of access to the bank, also includes an uninstallation routine that can restore the original shortcuts, which suggests that operators want to keep remote control over the visibility of the intrusion and cover prints when it suits them.

In its configuration, VENON is prepared to monitor window titles and active domains in the browser, and activate its theft module only when it detects any of the 33 financial institutions or digital asset platforms on its target list. In doing so, it launches fraudulent overlaps that mimic the interface of legitimate services to capture credentials and sensitive data from victims.

The appearance of VENON coincides with another worrying trend in Brazil: the exploitation of WhatsApp as a distribution vector. Recent campaigns have taken advantage of already authenticated WhatsApp Web sessions to spread a worm called SORVEPOTEL, which sends malicious messages to compromised contacts and links the delivery of loads such as Maverick, Casbaneiro or Astaroth. The Blackpoint Cyber laboratory detailed how a single interaction through a hijacked session could lead to the execution in memory of implants such as Astaroth, demonstrating that the combination of local automation and browser control offers attackers a very permissive environment: https: / / blackpointcyber.com / blog / Whatsapp-worm-sorvepotel-astaroth-malware /.

What underlies these two stories is a transformation in how threats are built and distributed: less common languages in malware, such as Rust, and assistance from code-generation tools are reducing the technical barrier to assembling sophisticated families, while consolidated social vectors, such as WhatsApp, remain the preferred channel to reach victims with apparent confidence. The result is an ecosystem where social engineering and technology are combined to maximize the effectiveness of fraud.

For users and security equipment, basic recommendations remain relevant and practical: distrust of links and compressed files received by messaging, avoid running unverified scripts, maintain up-to-date systems and antivirus and restrict the use of tools that allow automatic code execution. Organizations should monitor anomalous activities related to programmed tasks, outgoing connections to cloud services and modifications to sensitive direct access, as well as implementing controls on the implementation of PowerShell and other interpreters. Microsoft's guidelines on AMSI and ETW, as well as good practice documentation in Windows management, are a good starting point for understanding and mitigating these techniques.

VENON is a reminder that threats evolve: languages change, evasions are tuned and automated tools are combined with old social tricks. The defence requires both technical controls and user awareness, because in many attacks the human link remains the one that ends up opening the door.