DatzbRат Hiding Behind Senior Travel Scams

MITRE Techniques

• [T1406] Accessibility Features – Datzbro abuses Android Accessibility Services to perform remote actions and interact with UI elements on behalf of operators: ‘Each action corresponds to a single gesture or global function (such as simulating Home or Back button clicks).’
• [T1204] User Execution – Victims are lured to install malicious APKs via social-engineered Facebook groups and messaging: ‘fraudsters then contacted victims via Messenger or WhatsApp and shared links to download an application to register for the activities.’
• [T1525] Data from Local System – Datzbro exfiltrates files, photos, and other local data via file and photo management commands: ‘Photo Stealer (list albums, upload photos, delete photos)’
• [T1436] Screen Capture – The malware supports screen streaming and “schematic” remote control sending UI element data to operators: ‘Start / stop remote screen sharing’ and ‘schematic mode… Sending information about all the elements displayed on the screen, its position and content.’
• [T1056] Input Capture (Keylogging) – Datzbro records keystrokes and accessibility events for credential theft and banking targets: ‘With the help of keylogging capabilities Datzbro can successfully capture login credentials for mobile banking applications entered by unsuspecting victims.’
• [T1496] Overlay – Uses semi-transparent black overlays to hide fraudulent activity and prompt fake credential activities: ‘Black overlay… helps operator to hide their activity from a victim’ and ‘activities will request user to enter their PIN codes.’
• [T1112] Modify Registry/Service (C2 Application) – C2 is implemented as a leaked desktop application allowing operator control and configuration updates: ‘Datzbro command and control panel is a desktop application… a compiled version of the C2 app leaked to public virus share.’