SOC Prime Bias: Medium

22 May 2026 12:42 UTC
newspaper icon Trend Micro

Inside SHADOW-WATER-063’s Banana RAT: From Build Server to Banking Fraud

Author Photo
SOC Prime Team linkedin icon Follow
Inside SHADOW-WATER-063’s Banana RAT: From Build Server to Banking Fraud
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Banana RAT is a banking trojan used by the financially motivated threat actor SHADOW-WATER-063 to steal credentials and carry out fraudulent transactions targeting Brazilian banks. The malware is delivered through a malicious batch file and relies on layered PowerShell obfuscation, in-memory execution, and AES-256 encryption to avoid detection. It maintains persistence through a hidden scheduled task and communicates with its command-and-control server over HTTP and TLS. The campaign also features a Pix QR code interception capability aimed at Brazil’s instant payment ecosystem.

Investigation

Trend Micro MDR analysts obtained both server-side tooling and client-side payloads, allowing them to reconstruct the full attack chain from a FastAPI-based polymorphic crypter to the PowerShell stager and final in-memory C# compilation stage. Their analysis uncovered the attacker infrastructure, the obfuscation workflow, and a set of capabilities that included screen streaming, input manipulation, and QR code tampering. The operation was linked to the broader Tetrade banking trojan ecosystem, although researchers noted several architectural differences.

Mitigation

Defenders should block the initial HTTP GET request to the malware delivery endpoint at the network edge, monitor for the specific hidden scheduled task behavior, and enforce strict controls over PowerShell and csc.exe execution. Endpoint defenses should also detect fileless PowerShell activity, in-memory DLL loading, and creation of files in deceptive paths such as ProgramData\Microsoft\Diagnosis\ETW. User awareness training should also address malicious batch files and phishing links distributed through channels such as WhatsApp.

Response

If Banana RAT activity is detected, isolate the affected endpoint immediately, terminate the malicious PowerShell process, remove the hidden scheduled task, and delete any dropped files from public and masqueraded directories. Investigators should collect the full PowerShell command line, preserve any C# compilation artifacts, and review network traffic connected to the command-and-control domains. Exposed credentials should be reset, and financial teams should be alerted to watch for signs of fraudulent banking activity.

"graph TB %% Class definitions classDef technique fill:#99ccff %% Node definitions step_A["<b>Technique</b> – <b>T1204.001 User Execution</b>: Malicious link delivered via WhatsApp or email to download batch file."] class step_A technique step_B["<b>Technique</b> – <b>T1027.014 Obfuscated Files</b>: Batch file runs obfuscated PowerShell code."] class step_B technique step_C["<b>Technique</b> – <b>T1027.016 Junk Code Insertion</b>: Nine custom obfuscation layers, variable renaming, XOR, AES."] class step_C technique step_D["<b>Technique</b> – <b>T1036.008 Masquerading</b>: Drops msedge.txt in Public Documents mimicking Microsoft ETW path."] class step_D technique step_E["<b>Technique</b> – <b>T1564.005 Hide Artifacts</b>: Writes malicious file to ProgramData Microsoft Diagnosis ETW to blend with legitimate files."] class step_E technique step_F["<b>Technique</b> – <b>T1620 Reflective Code Loading</b>: Uses csc.exe to compile C# DLLs in memory."] class step_F technique step_G["<b>Technique</b> – <b>T1134.001 Token Impersonation</b>: Duplicates SYSTEM token and spawns PowerShell in interactive session."] class step_G technique step_H["<b>Technique</b> – <b>T1134.002 Create Process with Token</b>: Spawns process with duplicated token."] class step_H technique step_I["<b>Technique</b> – <b>T1571 Non-Standard Port</b>: C2 communication over HTTPS port 443 using custom AES-256-CBC protocol."] class step_I technique step_J["<b>Technique</b> – <b>T1048.002 Exfiltration Over Alternative Protocol</b>: Encrypted data exfiltration using asymmetric encrypted nonu2011C2 protocol."] class step_J technique step_K["<b>Technique</b> – <b>T1140 Deobfuscate Decode</b>: PowerShell decrypts AESu2011wrapped payload in memory."] class step_K technique step_L["<b>Technique</b> – <b>T1659 Content Injection</b>: PowerShell uses Net.WebClient or Startu2011BitsTransfer to fetch payload from attacker web server."] class step_L technique step_M["<b>Technique</b> – <b>T1566 Phishing</b>: Malicious link delivered via WhatsApp/email to download batch file."] class step_M technique %% Connections step_A –>|leads_to| step_B step_B –>|leads_to| step_C step_C –>|leads_to| step_D step_D –>|leads_to| step_E step_E –>|leads_to| step_F step_F –>|leads_to| step_G step_G –>|leads_to| step_H step_H –>|leads_to| step_I step_I –>|leads_to| step_J step_J –>|leads_to| step_K step_K –>|leads_to| step_L step_L –>|leads_to| step_M "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (C2 communication) designed to trigger the detection rule. The commands and narrative directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    The threat actor has deployed Banana RAT on the victim endpoint. To maintain persistence and receive commands, the RAT initiates outbound communication to its hard‑coded C2 infrastructure:

    1. HTTP Beacon (IP 24.199.90.58:80): Opens a raw TCP socket and sends a minimal HTTP GET request.
    2. HTTPS Beacon (IP 162.141.111.227:443): Uses Invoke-WebRequest with TLS to the C2 server.
    3. Domain‑Based Beacon: Performs a DNS lookup for c.windowsk-cdn.com, which the C2 monitors for query volume.

    All three actions are executed sequentially to maximize the chance of hitting at least one selection in the Sigma rule.

  • Regression Test Script:

    # -------------------------------------------------
# Banana RAT C2 Communication Simulation (TC-20260522-A1B2C)
# -------------------------------------------------
# 1. HTTP beacon to 24.199.90.58:80
try {
    $httpClient = New-Object System.Net.Sockets.TcpClient("24.199.90.58",80)
    $stream = $httpClient.GetStream()
    $writer = New-Object System.IO.StreamWriter($stream)
    $writer.WriteLine("GET / HTTP/1.1")
    $writer.WriteLine("Host: 24.199.90.58")
    $writer.WriteLine("Connection: Close")
    $writer.WriteLine()
    $writer.Flush()
    $reader = New-Object System.IO.StreamReader($stream)
    $response = $reader.ReadToEnd()
    $writer.Dispose()
    $reader.Dispose()
    $httpClient.Close()
} catch { Write-Error "HTTP beacon failed: $_" }

# 2. HTTPS beacon to 162.141.111.227:443
try {
    Invoke-WebRequest -Uri "https://162.141.111.227" -UseBasicParsing -TimeoutSec 10
} catch { Write-Error "HTTPS beacon failed: $_" }

# 3. DNS query for malicious domain
try {
    Resolve-DnsName -Name "c.windowsk-cdn.com" -Type A -ErrorAction Stop
} catch { Write-Error "DNS query failed: $_" }

# End of simulation

  • Cleanup Commands:

    # -------------------------------------------------
# Cleanup – remove any lingering sockets or temporary files
# -------------------------------------------------
# No persistent artifacts are created by the simulation.
# Ensure no residual network connections remain:
Get-NetTCPConnection -RemotePort 80,443 `
    | Where-Object {$_.RemoteAddress -in @("24.199.90.58","162.141.111.227")} `
    | ForEach-Object { Stop-Process -Id $_.OwningProcess -Force }
# Clear DNS cache to avoid affecting subsequent tests
Clear-DnsClientCache

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free