The threat actor responsible for the BRATA banking trojan has refined their tactics and enhanced the malware with data-stealing capabilities. Cleafy, an Italian mobile security company, has been tracking BRATA activity and has noticed changes in the most recent campaigns that lead to longer persistence on the device.
“The mode of operation now fits into an Advanced Persistent Threat (APT) activity pattern,” Cleafy explains in a report released this week. “This term refers to an attack campaign in which criminals maintain a long-term presence on a targeted network in order to steal sensitive information.”
The malware has also been updated with new phishing techniques, new classes for requesting additional device permissions, and the addition of a second-stage payload from the command and control (C2) server.
Targeted campaigns
BRATA malware is also more targeted, as researchers discovered that it focuses on one financial institution at a time and only switches to another when countermeasures render their attacks ineffective. For example, instead of acquiring a list of installed apps and retrieving the appropriate injections from the C2, BRATA now comes pre-loaded with a single phishing overlay.
Overlay used in a recent campaign (Cleafy)
This reduces malicious network traffic as well as interactions with the host device. In a later version, BRATA gains more permissions to send and receive SMS, which can aid attackers in stealing temporary codes such as one-time passwords (OTPs) and two-factor authentication (2FA) that banks send to their customers.
After nesting into a device, BRATA retrieves a ZIP archive containing a JAR (“unrar.jar”) package from the C2 server. This keylogging utility tracks app-generated events and stores them locally on the device along with the text data and a timestamp.
New keylogging module on BRATA (Cleafy)
Cleafy’s analysts discovered evidence that this tool is still in its early stages of development, and the researchers believe the author’s ultimate goal is to exploit the Accessibility Service to obtain data from other applications.
The BRATA evolution
In 2019, BRATA emerged as a banking trojan capable of screen capture, app installation, and turning off the screen to make the device appear powered down. BRATA first appeared in Europe in June 2021, using fake anti-spam apps as a lure and employing fake support agents who defrauded victims and tricked them into giving them complete control of their devices.
A new version of BRATA appeared in the wild in January 2022, employing GPS tracking, multiple C2 communication channels, and tailored versions for banking customers in various countries. That version also included a factory reset command, which erased devices after all data was stolen. Cleafy has discovered a new project: an SMS stealer app that communicates with the same C2 infrastructure as the new BRATA version and the change in tactics.
It employs the same framework and class names as BRATA, but appears to be limited to siphoning short text messages. It currently targets the United Kingdom, Italy, and Spain.
To intercept incoming SMS messages, the application requests that the user set it as the default messaging app, as well as permission to access contacts on the device.
For the time being, it’s unclear whether this is merely an experiment in the BRATA team’s effort to create simpler apps devoted to specific roles. What is clear is that BRATA continues to evolve at a two-month interval. It is critical to remain vigilant, keep your device updated, and avoid installing apps from unofficial or suspicious sources.
