According to an Italian cybersecurity firm Cleafy reported that ,” Banks and financial institutions in the United Kingdom, Poland, Italy, and Latin America are among the targets. The latest configurations, found late last year are said to be distributed through a downloader to avoid detection by security software,.
The Android malware known as BRATA has been updated with new capabilities that allow it to track device locations and even perform a factory reset in an apparent attempt to conceal fraudulent wire transfers.
Furthermore, we highlight the key indicators that help to explain the attack chain used by these TAs:
- The malware campaign targets one of Italy’s largest retail banks, as well as other minor banks. However, we cannot rule out the possibility that other local TAs are using the same attack vector (BRATA) to carry out other malicious activities in other countries.
- Smishing and phishing attacks are used to spread malicious apps and harvest credentials.
- To infect the victims’ devices, a new version of the BRATA malware is used.
- TAs use a combination of social engineering techniques and complete control of the infected device to perform fraudulent transactions.
The researchers shows that ,”Once the victim installs the downloader app, it requires only one permission to download and install the malicious application from an untrusted source. When the victim clicks the install button, the downloader app sends a GET request to the C2 server in order to download the malicious.APK.”
The most recent “tailored” samples of BRATA target different countries and include an initial dropper — a security app dubbed “iSecurity” — that is undetected by virtually all malware scanning engines and is used to download and execute the actual malicious software.
Finally the researchers concluded that ,” BRATA is attempting to reach out to new targets and develop new features adding that threat actors are leveraging this banking trojan for performing frauds, typically through unauthorised wire transfer (e.g., SEPA) or Instant Payments, using a wide network of money mules accounts in multiple European countries.”
Indicators of Compromise
First campaign (June-mid September)
| MD5 | App Name | Package Name |
|---|---|---|
| ed63a9c22b2a6d39f11dfcee8925d306 | Sicurezza Dispositivo | b4a.example |
| 3cd6c14061a891c4a1525ac1a4609137 | AntiSpam | com.dasjn023.dmindnasiod |
Second campaign (October)
| MD5 | App Name | Package Name |
|---|---|---|
| 8a10f6600be239a246e93cca0e7a69b0 | Sicurezza Avanzata | com.voip.ffnenne |
| URL | Description |
|---|---|
| 23.254.228.221:17178 | BRATA C2 |
| https[:]//bpweb-passadore[.]com | URL used to distribute the malicious app |
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 