Tuesday, November 12, 2024
HomeCyber Security NewsBRATA - Banking Trojan With Advanced Information-stealing Capabilities

BRATA – Banking Trojan With Advanced Information-stealing Capabilities

Published on

Malware protection

Technology is evolving at a rapid pace and along with it, the threat actor behind the BRATA banking trojan has also improved the malware to release more features that are capable of stealing information.

Cleafy, a digital security company specializing in mobile security, has been tracking BRATA campaigns for the past few months. While the experts at Cleafy have noted changes in the recent campaigns which resulted in the malware staying on the device for longer periods of time.

As part of the update, several new elements have been added to the malware itself, and here they are:- 

- Advertisement - SIEM as a Service
  • Added new phishing techniques
  • Added new classes to request extra permissions
  • Dropping a second-stage payload capability from the C2 server

Campaigns Targeted

The operators of BRATA malware primarily target financial institutions and organizations. That’s why the threat actors are actively using the BRATA malware. 

It doesn’t stop there, as it switches from one attack to another when countermeasures render it inefficient at the time. 

Instead of acquiring a list of installed programs and running injections on the C2 from a list of installed apps, BRATA is now preloaded with a single phishing overlay.

This results in a reduction of malicious network traffic and decreases the interactions between the host device and the network.

The latest version of BRATA malware is now capable of sending and receiving SMS messages. Due to its recent release, it comes with a number of new features that make it incredibly easy for attackers to obtain temporary codes from the compromised device and use them for their attacks.

It compromises the following codes that are sent by banks to their customers:-

  • One-time passwords (OTPs)
  • Two-factor Authentication (2FA) codes

Within the device, BRATA fetches a ZIP archive that contains a JAR package that is named “unrar.jar” from the C2 server before nesting into the device.

While the keylogger utility software mainly monitors the events that are generated by apps on the device, and stores the text data along with the timestamps associated with these events locally on the device.

Development of BRATA

In 2019, BRATA was initially introduced in Brazil as a banking Trojan. While being a banking Trojan, it is able to execute several actions like:-

  • Taking screenshots
  • Installing new apps
  • Turning off the screen

First displayed in Europe in June 2021, BRATA made its debut on the continent. Initially, the malware was used to trick victims into giving up access to their devices by using phony anti-spam apps that appeared as part of a fake anti-spam app package. 

In addition, masked support agents manipulated victims into giving them complete control over their devices by pretending to be the regulator.

Again a new version of BRATA appeared in January 2022. This time it has utilized several elements like:-

  • GPS tracking
  • Multiple C2 communication channels
  • Customized versions for different countries’ different banking institutions

Moreover, a factory reset feature was also included in that version, which wiped all data from stolen devices after they had been compromised.

BRATA is evolving at a rate of around two months per annum, which makes sense as it keeps evolving with time. That’s why cybersecurity analysts have strongly recommended users keep their devices up to date, stay alert, and avoid downloading any applications from suspicious sources.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

VMware Workstation & Fusion Now Available for Free to All Users

VMware has announced that its popular desktop hypervisor products, VMware Workstation and VMware Fusion,...

Dell Enterprise SONiC Flaw Let Attackers Hijack the System

Dell Technologies has disclosed multiple critical security vulnerabilities in its Enterprise SONiC OS, which...

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

VMware Workstation & Fusion Now Available for Free to All Users

VMware has announced that its popular desktop hypervisor products, VMware Workstation and VMware Fusion,...

Dell Enterprise SONiC Flaw Let Attackers Hijack the System

Dell Technologies has disclosed multiple critical security vulnerabilities in its Enterprise SONiC OS, which...

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...