Go to listing page

BRATA Evolves into Persistent Threat to Target Financial Apps

BRATA Evolves into Persistent Threat to Target Financial Apps
A banking trojan, named BRATA, has now evolved and improved with information-stealing capabilities from financial apps. In the recent campaigns, the trojan displayed longer persistence while stealing sensitive information from the infected device.

The BRATA story

A report from Cleafy highlighted some new changes in BRATA and related its latest activities to the behavior of an Advanced Persistent Threat (APT).
  • The banking trojan now comes pre-loaded with a single phishing overlay instead of obtaining a list of installed apps and getting the right injections from the C2 to limit the malicious network traffic.
  • The trojan itself has been updated with new phishing techniques, new classes to request more permissions on the infected device, and drops a second-stage payload from the C2 server.
  • BRATA has now become more targeted and focuses on one financial institution at a time and only targets different ones when its attacks stop or are less efficient due to countermeasures.

Additional insights

  • The trojan added more permissions to send and receive SMS to steal temporary codes such as 2FA and OTPs sent by banks to their customers.
  • After infection, BRATA gets a ZIP archive from the C2 server, including a JAR (unrar[.]jar) package. This keylogging feature monitors app-generated events and saves them locally on the device.

SMS stealer

  • Along with the new BRATA version and change in tactics, the researchers spotted an SMS stealer app using the same BRATA C2 infrastructure, along with framework and class names.
  • The stealer app is focused only on siphoning short text messages and targeting the U.K, Spain, and Italy. To intercept incoming SMS, the app urges the user to set it as a default app for messaging.

Conclusion

Experts described the recent campaign as an APT pattern that is expected to continue in the future. To stay protected from such evolving threats, it is recommended to always download apps from trusted sources and monitor the app behavior after installation.
Cyware Publisher

Publisher

Cyware