[MART] - Daily Diary #534 - Brazilian Malware Brata Updates

CTAS-MAT ctas-mat at appgate.com
Mon Jun 20 21:56:06 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

06/20/2022 - Diary entry #534:

In some of our Daily Diaries, we covered a Brazilian Android Banking RAT (Remote Access Trojan) known as Brata that was first discovered in 2019. Brata can steal passwords, remotely unlock the device’s screen, and gain complete control of the affected device by abusing the accessibility permission.

Delivered via a custom dropper hosted on GooglePlay, Brata’s dropper mimicks trusted applications and is disseminated through SMShings, and ads via web page or chrome notifications, luring the users into thinking their device is unsafe or needs an update.

Back in April 2021, we covered (in Daily Diary #242) that Brata changed its operation to target other banking institutions from US and Spain, totalizing 20 unique banks in the US, and more than 50 different financial institutions. Most recently, Brata has changed its attack pattern again, crafting the malware to strike a specific financial institution at a time.

With this new update, Brata is now targeting entities in Europe posing as specific bank applications. It also included new features that are used to impersonate the login page of the target financial institution to siphon credentials, access SMS messages, sideload a second-stage payload to log events, and more.

Brata is the first Remote Access Trojan malware discovered in the banking scenario in Brazil back in 2019. From the beginning, Brata has shown advanced capabilities and evasion techniques that explained its infection rate, and therefore, successful frauds. The fact that it changed its operation to target single institutions at a time in different countries suggests that the malware is possibly being sold as a Malware-as-a-service to other threat actors.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220620/61c4d5c6/attachment.htm>

More information about the MART mailing list