A recent investigation has uncovered a sophisticated banking malware campaign leveraging Banana RAT, a remote access trojan historically associated with Brazilian financial fraud. This campaign utilizes an exposed backend server capable of generating polymorphic malware variants on demand, significantly enhancing its ability to evade detection.
The discovery began when researchers identified a publicly accessible index on a specific IP address through routine internet scanning. Instead of merely hosting static malicious files, this server operated as an active delivery platform, complete with a payload generator and an obfuscation script. This setup enabled the creation of fresh, uniquely disguised payloads whenever required by the attackers.
Analysts from Any.Run observed this exposed infrastructure and monitored the evolution of the malware by analyzing two distinct versions of Banana RAT deployed within a short timeframe. The first version, detonated in late May 2026, utilized fixed file names and folder paths designed to mimic legitimate Windows update components. The second version, from early June 2026, exhibited more advanced evasion techniques, including dynamic file naming and path generation, making detection and analysis more challenging.
The exposed server featured a script named ‘servidor_completo_pool.py,’ functioning as a backend service to pre-generate malware payloads in batches. This script sourced files from a web directory and offered multiple web addresses to manage payload pools, report statistics, and serve the generated files. This indicates a system designed for the continuous production of new malware variants rather than a static repository.
Accompanying this was another script, ‘ofuscador.py,’ which transformed straightforward PowerShell commands into obfuscated character sequences. These sequences were reassembled and executed at runtime, allowing the malware to alter its appearance with each deployment while maintaining consistent underlying behavior. This obfuscation technique significantly complicates detection efforts, as traditional signature-based defenses may fail to recognize the ever-changing surface characteristics of the malware.
Banana RAT specifically targets financial activities, aiming to steal banking credentials and manipulate payment transactions. Its ability to regenerate in new forms renders blocklist-based defenses less effective over time. The exposed payload generator not only facilitates rapid adaptation to security measures but also provides valuable insights into the operational tactics of the threat actors. Understanding these mechanisms is crucial for developing more robust detection and prevention strategies against such evolving threats.
This development underscores the increasing sophistication of cybercriminal operations, particularly in the realm of financial malware. The use of exposed, automated payload generators highlights the need for continuous vigilance and adaptive security measures. Organizations must prioritize proactive threat hunting and employ advanced behavioral analysis techniques to detect and mitigate such dynamic threats effectively.