The threat actor that developed the BRATA banking trojan has enhanced the malware with data-stealing capabilities. mCleafy, an Italian mobile security researcher, has been tracking BRATA activity and has discovered improvements in more recent campaigns that extended persistence on the device.

Technical Details

Instead of acquiring a list of installed apps and the required injections from the C2 to limit the malicious network traffic, the banking trojan now comes with a single phishing overlay. New phishing techniques, new classes to request more permissions on the infected device, and a second-stage payload that is delivered from the C2 server have all been enhanced to the trojan itself.

In order to steal temporary codes like 2FA and OTPs that banks send to their customers, the trojan acquired more permissions to send and receive SMS. Following infection, the C2 server sends a ZIP archive to BRATA that contains a JAR (unrar[.]jar) package. This keylogging mechanism records keystroke events and keeps track of app-generated behavior.

Indicators of Compromise(IoCs)

MD5

  • 1ae5fcbbd3d0e13192600ef05ba5640d
  • 69d3ce972e66635b238dc17e632474ec

IP

  • 51[.]83[.]251[.]214
  • 51[.]83[.]225[.]224

Ending Notes

It is recommended only to download apps from legitimate sources and to keep an eye on their behavior once they have been installed in order to protect yourself against such evolving threats.

References

https://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat
https://www.bleepingcomputer.com/news/security/android-wiping-brata-malware-is-evolving-into-a-persistent-threat/

Comments

Leave a Reply

Your email address will not be published.

Sign In

Register

Reset Password

Please enter your username or email address, you will receive a link to create a new password via email.