Inside SHADOW-WATER-063’s Banana RAT: From Build Server to Banking Fraud

What Happened

Cybercriminals are using a new banking trojan called Banana RAT to target customers of Brazilian banks and cryptocurrency exchanges. Victims are tricked into downloading a malicious file, often disguised as an electronic invoice, which secretly installs the malware. Once installed, the attackers can monitor the victim's screen, record keystrokes, and intercept instant payments (Pix) by displaying fake security update screens. Organizations and users should be cautious of unexpected downloads and fake banking overlays, and ensure their security software is up to date.

Key Takeaways

• Banana RAT is a banking trojan targeting Brazilian financial institutions, attributed to the threat cluster SHADOW-WATER-063.
• The attack chain features a polymorphic payload generation server that delivers unique, AES-wrapped payloads to evade hash-based detection.
• Execution is primarily fileless, utilizing PowerShell to compile C# DLLs in memory for keylogging, screen streaming, and remote input control.
• The malware includes a specialized Pix QR code interception subsystem to manipulate instant payments.
• Persistence is achieved via hidden scheduled tasks that execute the payload with bypassed execution policies.

Affected Systems

• Windows OS
• Brazilian financial institutions
• Brazilian-localized cryptocurrency exchanges

Attack Chain

The attack begins with a victim downloading a malicious batch file (Consultar_NF-e.bat) disguised as an electronic invoice. Upon execution, the batch file uses PowerShell to download a stager, which subsequently fetches a polymorphic, AES-encrypted payload (payload.php) from a separate server. This payload is decrypted and executed entirely in memory, where it dynamically compiles C# DLLs to enable keylogging, screen streaming, and remote input control. The malware establishes persistence via a hidden scheduled task and communicates with a C2 server to facilitate operator-driven financial fraud, including the interception of Pix QR codes via deceptive banking overlays.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: Trend Micro Vision One

The article provides proprietary hunting queries designed for the Trend Micro Vision One platform to detect Banana RAT activity, payload drops, and masqueraded file paths.

Detection Engineering Assessment

EDR Visibility: High — The malware relies heavily on PowerShell execution, in-memory .NET compilation (csc.exe), and scheduled task creation, all of which are highly visible to modern EDR sensors. Network Visibility: Medium — While the initial staging is over HTTP, the primary C2 communication uses a custom binary protocol over TCP/443 with AES-256 encryption, making deep packet inspection difficult without TLS decryption or specific protocol profiling. Detection Difficulty: Moderate — The server-side polymorphism defeats hash-based detection, and the fileless execution of the core payload evades traditional AV. However, the behavioral footprint (PowerShell compiling C#, scheduled tasks running hidden PowerShell) provides solid detection opportunities.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• PowerShell Script Block Logging (Event ID 4104)
• Scheduled Task Creation (Event ID 4698)
• File Creation (Event ID 11)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for PowerShell processes executing with hidden window styles and bypass execution policies, especially those reading content directly from anomalous text files in public or diagnostic directories.	Process Creation, Command Line Execution	Execution	Low
If you have visibility into scheduled tasks, look for newly created tasks that execute PowerShell commands referencing paths like 'C:\ProgramData\Microsoft\Diagnosis\ETW'.	Scheduled Task Creation, Process Creation	Persistence	Low
Consider monitoring for instances of csc.exe (C# compiler) being spawned by PowerShell, which may indicate dynamic in-memory compilation of malicious modules.	Process Creation, Process Ancestry	Execution	Medium

Control Gaps

• Hash-based AV detection (due to server-side polymorphism)
• Network perimeter blocking based solely on standard ports (C2 uses custom protocol over port 443)

Key Behavioral Indicators

• PowerShell invoking csc.exe to compile .cs files in Temp directories
• Creation of scheduled tasks with names like '\WinDiagTask0'
• PowerShell scripts reading and executing content from .txt files using IEX and Get-Content

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• If your network controls support it, consider blocking access to the identified delivery and C2 IP addresses and domains.
• Search endpoint telemetry for the presence of 'msedge.txt' or 'msedgeupdate.txt' in Public Documents or ETW diagnostic folders.

Infrastructure Hardening

• Evaluate whether PowerShell execution policies can be strictly enforced and monitored for bypass attempts.
• Consider implementing application control to restrict the execution of unauthorized scripts and binaries from user-writable directories.

User Protection

• If your EDR supports it, ensure behavioral monitoring is enabled to catch fileless execution and in-memory compilation.
• Consider restricting the ability of standard users to create scheduled tasks.

Security Awareness

• Educate users to be wary of unexpected full-screen banking overlays or prompts instructing them not to turn off their computers.
• Train employees to recognize social engineering lures, especially those disguised as electronic invoices (NF-e) or requiring script execution to resolve errors.

MITRE ATT&CK Mapping

• T1059.001 - PowerShell
• T1059.003 - Windows Command Shell
• T1053.005 - Scheduled Task/Job
• T1027 - Obfuscated Files or Information
• T1113 - Screen Capture
• T1056.001 - Keylogging
• T1564.003 - Hidden Window
• T1134.002 - Create Process with Token

Additional IOCs

• Ips:
  • 24[.]199[.]90[[.]]58 - Staging server IP
  • 162[.]141[.]111[[.]]227 - Fallback C2 IP
• Domains:
  • convitemundial2026[[.]]com - Delivery domain
  • c[[.]]windowsk-cdn[[.]]com - Primary C2 domain
• Urls:
  • hxxps://convitemundial2026[.]com/Consultar_NF-e.bat - URL for initial batch file download
  • hxxp://24[.]199[.]90[.]58/payload.php - URL for polymorphic payload retrieval
  • hxxp://24[.]199[.]90[.]58/st.txt - URL for initial stager retrieval
• File Hashes:
  • ecdc8fade561a75d68235859ad8b1fe131db2c458b4894268e38e90ecab1c47f (sha256) - Hash of st.txt (PowerShell downloader component)
  • 38dfeb772afbd01c04eddda120d283acfb1147a6dc3d54ac62fe23ad06e39d8f (sha256) - Hash of st.php (Web-based downloader)
  • 4912b1134e69ade7266e8508eec33ccb2d80ad693f1dbc4f1f4344c6dfcf2ff1 (sha256) - Hash of payload.php (Payload dropper)
• File Paths:
  • C:\Users\Public\Documents\msedge.txt - Staged payload location
  • C:\ProgramData\Microsoft\Diagnosis\ETW\msedgeupdate.txt - Evasion payload location masquerading as diagnostic file
  • C:\Windows\System32\Tasks\WinDiagTask0 - Scheduled task persistence file
• Command Lines:
  • Purpose: Create a hidden scheduled task for persistence to execute the PowerShell payload. | Tools: powershell.exe, schtasks.exe | Stage: Persistence
• Other:
  • iuhbdaubdvauygd5562$3@##$r - Hardcoded operator MasterKey used for HMAC and AES seed
  • \WinDiagTask0 - Scheduled task name used for persistence