Posted on June 21, 2022 at 9:02 PM
Cybersecurity firm Clearfy has stated that the hackers responsible for the BRATA Android malware have started operating as an Advanced Persistent Threat (APT) group.
According to the researchers’ report in a blog post, they first discovered three main BRATA variants in December last year, mainly in Spain, Italy, and Great Britain. But the threat actors have changed their attack patterns since then.
The Malware Now Targets Select Financial Institutions
The Clearfy team warned that the hackers behind the BRATA malware now target selected financial institutions at a time, and divert to other targets when their present target starts providing threat-resistant measures to combat their activities. Afterward, they move away from the spotlight and resume with different strategies and targets to infect more vulnerable systems. Cleafy provided details about the new BRADA malware variant in the blog post.
The security team noted that the BRADA malware is regularly updated to make it unique and more difficult to spot. When the hackers release a new update, it comes with a new feature that makes it more dangerous. The BRATA variant has already been spotted in EU territories posing as bank applications after making some internal changes.
The Malware Steals Information From Users
One of the features is a fishing technique that allows the malware to create and deploy a fake login page to imitate the design of the targeted bank’s website. These are designed to steal credentials from gullible users.
However, Clearfy stated that the feature has not been fully developed when they were filing the report. It means that the malware may have developed the feature which makes it even more persistent and dangerous.
For now, the researchers noted that there is no data exchange between the TA infrastructure and the victim device.
Another notable feature the researchers have discovered is the charge to gain SMS, overlay, GPS, and device management solutions. It can help the threat actors to acquire two-factor authentication (2FA) codes as well as information on physical location. This could allow them to easily have login access to the targeted user’s account, which is also very dangerous.
Once the malware is installed, the attack pattern will be similar to other SMS stealers. The security team stated that the new feature can ask the user to replace the default messaging app with the malicious one. Once this is achieved, the malicious app can intercept all incoming messages.
The Original Malware Is Distributed Through Fake Apps
For the third feature, the malware is capable of sideloading a piece of code it downloads from the control server and carrying out Event Logging on compromised devices. Again, the researchers stated that the third feature is still under development. They added that the threat actors responsible for the malware want to extend its functionality to retrieve data from other applications, which can abuse the Accessibility Service.
Clearfy added that the original BRATA malware was distributed via fake antivirus apps of other common apps. However, when it was used for the attack, the malware took the functionality of an APT attack that targets customers of a particular Italian bank.
The most recent trend has been discovered to be the new attack pattern the threat actors may use in subsequent attacks while other additional features are still under development. The hackers usually concentrate on the delivery of malicious applications targeted to a particular bank for several months before turning their attention to another bank for a couple of months again.
The Hackers Are Testing Different Methods To Expand Their Reach
BRATA is the acronym for “Brazilian Remote Access Tool Android.” It was first discovered in the wild in Brazil in 2018 before reappearing again in Europe last April. At the time, the malware was faking as antivirus software and other popular tools to deceive users into downloading them. Since then the malware has undergone several changes, as the developers fortified it and made it more damaging.
The malware uses a phishing page and has been equipped to read victims’ SMS, which could be used to carry out a complete Account Takeover (ATO) attack.
Also, the researchers noted that they discovered another Android app package sample that utilizes the same C2 infrastructure as the BRATA malware to steal SMS messages. This shows that the hackers are still testing different methods to expand their reach.