Tuesday, July 16, 2024

BRATA – Banking Trojan With Advanced Information-stealing Capabilities

Technology is evolving at a rapid pace and along with it, the threat actor behind the BRATA banking trojan has also improved the malware to release more features that are capable of stealing information.

Cleafy, a digital security company specializing in mobile security, has been tracking BRATA campaigns for the past few months. While the experts at Cleafy have noted changes in the recent campaigns which resulted in the malware staying on the device for longer periods of time.

As part of the update, several new elements have been added to the malware itself, and here they are:- 

  • Added new phishing techniques
  • Added new classes to request extra permissions
  • Dropping a second-stage payload capability from the C2 server

Campaigns Targeted

The operators of BRATA malware primarily target financial institutions and organizations. That’s why the threat actors are actively using the BRATA malware. 

It doesn’t stop there, as it switches from one attack to another when countermeasures render it inefficient at the time. 

Instead of acquiring a list of installed programs and running injections on the C2 from a list of installed apps, BRATA is now preloaded with a single phishing overlay.

This results in a reduction of malicious network traffic and decreases the interactions between the host device and the network.

The latest version of BRATA malware is now capable of sending and receiving SMS messages. Due to its recent release, it comes with a number of new features that make it incredibly easy for attackers to obtain temporary codes from the compromised device and use them for their attacks.

It compromises the following codes that are sent by banks to their customers:-

  • One-time passwords (OTPs)
  • Two-factor Authentication (2FA) codes

Within the device, BRATA fetches a ZIP archive that contains a JAR package that is named “unrar.jar” from the C2 server before nesting into the device.

While the keylogger utility software mainly monitors the events that are generated by apps on the device, and stores the text data along with the timestamps associated with these events locally on the device.

Development of BRATA

In 2019, BRATA was initially introduced in Brazil as a banking Trojan. While being a banking Trojan, it is able to execute several actions like:-

  • Taking screenshots
  • Installing new apps
  • Turning off the screen

First displayed in Europe in June 2021, BRATA made its debut on the continent. Initially, the malware was used to trick victims into giving up access to their devices by using phony anti-spam apps that appeared as part of a fake anti-spam app package. 

In addition, masked support agents manipulated victims into giving them complete control over their devices by pretending to be the regulator.

Again a new version of BRATA appeared in January 2022. This time it has utilized several elements like:-

  • GPS tracking
  • Multiple C2 communication channels
  • Customized versions for different countries’ different banking institutions

Moreover, a factory reset feature was also included in that version, which wiped all data from stolen devices after they had been compromised.

BRATA is evolving at a rate of around two months per annum, which makes sense as it keeps evolving with time. That’s why cybersecurity analysts have strongly recommended users keep their devices up to date, stay alert, and avoid downloading any applications from suspicious sources.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

HardBit Ransomware Using Passphrase Protection To Evade Detection

In 2022, HardBit Ransomware emerged as version 4.0. Unlike typical ransomware groups, this ransomware...

New Poco RAT Weaponizing 7zip Files Using Google Drive

The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.These...

New ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

X-Labs identified basic ransomware targeting Turkish businesses, delivered via PDF attachments in suspicious emails...

Hacktivist Groups Preparing for DDoS Attacks Targeting Paris Olympics

Cyble Research & Intelligence Labs (CRIL) researchers have identified a cyber threat targeting the...

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles