BRATA – Banking Trojan With Advanced Information-stealing Capabilities

Technology is evolving at a rapid pace and along with it, the threat actor behind the BRATA banking trojan has also improved the malware to release more features that are capable of stealing information.

Cleafy, a digital security company specializing in mobile security, has been tracking BRATA campaigns for the past few months. While the experts at Cleafy have noted changes in the recent campaigns which resulted in the malware staying on the device for longer periods of time.

As part of the update, several new elements have been added to the malware itself, and here they are:- 

  • Added new phishing techniques
  • Added new classes to request extra permissions
  • Dropping a second-stage payload capability from the C2 server

Campaigns Targeted

The operators of BRATA malware primarily target financial institutions and organizations. That’s why the threat actors are actively using the BRATA malware. 

It doesn’t stop there, as it switches from one attack to another when countermeasures render it inefficient at the time. 

Instead of acquiring a list of installed programs and running injections on the C2 from a list of installed apps, BRATA is now preloaded with a single phishing overlay.

This results in a reduction of malicious network traffic and decreases the interactions between the host device and the network.

The latest version of BRATA malware is now capable of sending and receiving SMS messages. Due to its recent release, it comes with a number of new features that make it incredibly easy for attackers to obtain temporary codes from the compromised device and use them for their attacks.

It compromises the following codes that are sent by banks to their customers:-

  • One-time passwords (OTPs)
  • Two-factor Authentication (2FA) codes

Within the device, BRATA fetches a ZIP archive that contains a JAR package that is named “unrar.jar” from the C2 server before nesting into the device.

While the keylogger utility software mainly monitors the events that are generated by apps on the device, and stores the text data along with the timestamps associated with these events locally on the device.

Development of BRATA

In 2019, BRATA was initially introduced in Brazil as a banking Trojan. While being a banking Trojan, it is able to execute several actions like:-

  • Taking screenshots
  • Installing new apps
  • Turning off the screen

First displayed in Europe in June 2021, BRATA made its debut on the continent. Initially, the malware was used to trick victims into giving up access to their devices by using phony anti-spam apps that appeared as part of a fake anti-spam app package. 

In addition, masked support agents manipulated victims into giving them complete control over their devices by pretending to be the regulator.

Again a new version of BRATA appeared in January 2022. This time it has utilized several elements like:-

  • GPS tracking
  • Multiple C2 communication channels
  • Customized versions for different countries’ different banking institutions

Moreover, a factory reset feature was also included in that version, which wiped all data from stolen devices after they had been compromised.

BRATA is evolving at a rate of around two months per annum, which makes sense as it keeps evolving with time. That’s why cybersecurity analysts have strongly recommended users keep their devices up to date, stay alert, and avoid downloading any applications from suspicious sources.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…

5 hours ago

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…

5 hours ago

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…

5 hours ago

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…

5 hours ago

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year, which…

5 hours ago

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…

6 hours ago