The threat actors responsible for the BRATA banking trojan have refined their techniques and enhanced the malware with data-stealing capabilities.
Cleafy, an Italian mobile security business, has been following BRATA activity and has discovered variations in the most recent campaigns that lead to extended persistence on the device.
"The modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern. This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information," explains Cleafy in a report this week.
The malware has also been modified with new phishing tactics, new classes for requesting further device permissions, and the inclusion of a second-stage payload from the command and control (C2) server.
BRATA malware is also more focused, as researchers determined that it concentrates on one financial institution at a time and only switches to another when countermeasures render its attacks ineffective.
For example, instead of getting a list of installed applications and retrieving the appropriate injections from the C2, BRATA now comes pre-loaded with a single phishing overlay.
This reduces harmful network traffic as well as interactions with the host device.
In a later version, BRATA gains greater rights to transmit and receive SMS, which can aid attackers in stealing temporary codes such as one-time passwords (OTPs) and two-factor authentication (2FA) that banks send to their clients.
After nesting into a device, BRATA retrieves a ZIP archive containing a JAR ("unrar.jar") package from the C2 server.
This keylogging utility tracks app-generated events and records them locally on the device along with the text contents and a timestamp.
Cleafy's analysts discovered that this tool is still in its early stages of development. The researchers believe the author's ultimate purpose is to exploit the Accessibility Service to obtain data from other apps.
BRATA's development
In 2019, BRATA emerged as a banking trojan capable of screen capture, app installation, and turning off the screen to make the device look powered down.
BRATA initially appeared in Europe in June 2021, utilising bogus anti-spam apps as a lure and employing fake support personnel who duped victims and fooled them into handing them entire control of their devices.
In January 2022, a new version of BRATA appeared in the wild, employing GPS tracking, several C2 communication channels, and customised versions for different locations.
Cleafy has discovered a new project: an SMS stealer app that talks with the same C2 infrastructure as the current BRATA version and the shift in tactics.
It uses the same structure and class names as BRATA but appears to be limited to syphoning brief text messages. It currently targets the United Kingdom, Italy, and Spain. To intercept incoming SMS messages, the application requests that the user designate it as the default messaging app, as well as authorization to access contacts on the device.
For the time being, it's unclear whether this is only an experiment in the BRATA team' to produce smaller apps focused on certain roles. What is obvious is that BRATA continues to evolve at a two-month interval. It is critical to be watchful, keep your device updated, and avoid installing apps from unapproved or dubious sources.