According to an Italian cybersecurity firm Cleafy reported that ,” Banks and financial institutions in the United Kingdom, Poland, Italy, and Latin America are among the targets. The latest configurations, found late last year are said to be distributed through a downloader to avoid detection by security software,.

The Android malware known as BRATA has been updated with new capabilities that allow it to track device locations and even perform a factory reset in an apparent attempt to conceal fraudulent wire transfers.

Furthermore, we highlight the key indicators that help to explain the attack chain used by these TAs:

  • The malware campaign targets one of Italy’s largest retail banks, as well as other minor banks. However, we cannot rule out the possibility that other local TAs are using the same attack vector (BRATA) to carry out other malicious activities in other countries.
  • Smishing and phishing attacks are used to spread malicious apps and harvest credentials.
  • To infect the victims’ devices, a new version of the BRATA malware is used.
  • TAs use a combination of social engineering techniques and complete control of the infected device to perform fraudulent transactions.

The researchers shows that ,”Once the victim installs the downloader app, it requires only one permission to download and install the malicious application from an untrusted source. When the victim clicks the install button, the downloader app sends a GET request to the C2 server in order to download the malicious.APK.”

The most recent “tailored” samples of BRATA target different countries and include an initial dropper — a security app dubbed “iSecurity” — that is undetected by virtually all malware scanning engines and is used to download and execute the actual malicious software.

Finally the researchers concluded that ,” BRATA is attempting to reach out to new targets and develop new features adding that threat actors are leveraging this banking trojan for performing frauds, typically through unauthorised wire transfer (e.g., SEPA) or Instant Payments, using a wide network of money mules accounts in multiple European countries.”

Indicators of Compromise

First campaign (June-mid September)

MD5App NamePackage Name
ed63a9c22b2a6d39f11dfcee8925d306Sicurezza Dispositivob4a.example

Second campaign (October)

MD5App NamePackage Name
8a10f6600be239a246e93cca0e7a69b0Sicurezza Avanzatacom.voip.ffnenne

URLDescription C2
https[:]//bpweb-passadore[.]comURL used to distribute the malicious app

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s