BRATA Malware

The BRATA banking Trojan first appeared back in 2019 in Brazil. The threat targeted Andoird devices and was capable of making screen captures, installing new applications, and causing the infected device to appear shut down by turning off the screen. However, since then, the threat has undergone rapid evolution with multiple new versions that each possessed expanded intrusive capabilities. For example, in 2021 the threat was used in attack campaigns against users in Europe. Infosec researchers discovered the BRATA malware being spread via fake anti-spam applications. The threatening operations even included fake support agents that lured users into providing them with complete control over their devices.

At the start of 2022, BRATA became even more sophisticated, via the addition of using GPS tracking and multiple communication channels to reach the Command-and-Control (C2, C&C) servers. The threat also received a factory reset feature, allowing it to wipe the breached devices after the data on them had already been exfiltrated. The threat actors also tailored the BRATA versions depending on the country of the targeted users.

Now, a report by Cleafy, an Italian mobile security company, shows that BRATA has evolved, even more, morphing into a persistent threat that aims to stick around on the infected devices. The expanded functions of the threat include the ability to send or intercept SMS messages, effectively giving the attackers the ability to collect temporary codes, such as one-time passwords (OTP) and those used on two-factor authentication (2FA) security measures. BRATA also can fetch a second-stage payload from its C2. The additional malware is dropped on the device as a ZIP archive containing a 'unrar.jar' package. Once executed, the payload acts as a keylogger that monitors application-generated events and logs them locally.

Finally, the BRATA malware versions analyzed by Cleafy were extremely targeted. In fact, the threat actors appear to be focusing on a single financial institution at a time. The attackers will move to their next victim only after their efforts are neutralized by the previous one via security countermeasures. This behavior gives the cybercriminals the chance to significantly reduce the footprint of the BRATA malware. After all, the threat will no longer need to access the list of applications installed on the breached device and then fetch the corresponding injections from the C2. Now, the malware comes pre-loaded with just one phishing overlay, minimizing its C2 traffic and the actions it needs to perform on the host device.