Technology is evolving at a rapid pace and along with it, the threat actor behind the BRATA banking trojan has also improved the malware to release more features that are capable of stealing information.
Cleafy, a digital security company specializing in mobile security, has been tracking BRATA campaigns for the past few months. While the experts at Cleafy have noted changes in the recent campaigns which resulted in the malware staying on the device for longer periods of time.
As part of the update, several new elements have been added to the malware itself, and here they are:-
- Added new phishing techniques
- Added new classes to request extra permissions
- Dropping a second-stage payload capability from the C2 server
The operators of BRATA malware primarily target financial institutions and organizations. That’s why the threat actors are actively using the BRATA malware.
It doesn’t stop there, as it switches from one attack to another when countermeasures render it inefficient at the time.
Instead of acquiring a list of installed programs and running injections on the C2 from a list of installed apps, BRATA is now preloaded with a single phishing overlay.
This results in a reduction of malicious network traffic and decreases the interactions between the host device and the network.
The latest version of BRATA malware is now capable of sending and receiving SMS messages. Due to its recent release, it comes with a number of new features that make it incredibly easy for attackers to obtain temporary codes from the compromised device and use them for their attacks.
It compromises the following codes that are sent by banks to their customers:-
- One-time passwords (OTPs)
- Two-factor Authentication (2FA) codes
Within the device, BRATA fetches a ZIP archive that contains a JAR package that is named “unrar.jar” from the C2 server before nesting into the device.
While the keylogger utility software mainly monitors the events that are generated by apps on the device, and stores the text data along with the timestamps associated with these events locally on the device.
Development of BRATA
In 2019, BRATA was initially introduced in Brazil as a banking Trojan. While being a banking Trojan, it is able to execute several actions like:-
- Taking screenshots
- Installing new apps
- Turning off the screen
First displayed in Europe in June 2021, BRATA made its debut on the continent. Initially, the malware was used to trick victims into giving up access to their devices by using phony anti-spam apps that appeared as part of a fake anti-spam app package.
In addition, masked support agents manipulated victims into giving them complete control over their devices by pretending to be the regulator.
Again a new version of BRATA appeared in January 2022. This time it has utilized several elements like:-
- GPS tracking
- Multiple C2 communication channels
- Customized versions for different countries’ different banking institutions
Moreover, a factory reset feature was also included in that version, which wiped all data from stolen devices after they had been compromised.
BRATA is evolving at a rate of around two months per annum, which makes sense as it keeps evolving with time. That’s why cybersecurity analysts have strongly recommended users keep their devices up to date, stay alert, and avoid downloading any applications from suspicious sources.