How BRATA is monitoring your bank account | Cleafy Labs

Keypoints

• BRATA has added capabilities such as device factory reset, GPS tracking, multi-channel C2 (HTTP and TCP), and continuous monitoring via VNC and keylogging.
• A new BRATA variant started circulating last December and is distributed through a downloader to evade antivirus detection. ‘The target list now contains further banks and financial institutions in the UK (new), Poland (new), Italy, and LATAM.’
• BRATA.A is the most used variant, with BRATA.B introducing overlay pages to steal PINs and partial code obfuscation; BRATA.C uses a downloader/dropper architecture. ‘BRATA.B has almost the same capabilities… the main differences found are the partial obfuscation of the code and the use of tailored overlay pages used to steal the security number (or PIN) of the targeted banking application.’ ‘BRATA.C is composed of an initial dropper used to download and execute the “real” malicious app later.’
• BRATA monitors bank apps via Accessibility Service and can capture the screen and keystrokes; ‘BRATA starts to take screenshots of the victim’s device’ and ‘BRATA.B monitors all users’ keystrokes when visiting the targeted bank application.’
• GPS permission appears in the manifest, but the feature may be under development or unused; ‘no evidence in the code is actually used’ for GPS in BRATA.
• The malware switches communication channels from HTTP to WebSockets to minimize latency and data loads, aiding stealthy C2 communication. ‘the first communications are made by the application towards the C2 through the HTTP protocol, and then, if the server is online, it is forced to switch the connection towards the WebSocket protocol.’
• BRATA implements anti-analysis and defense evasion, including removing antivirus apps and using a downloader to avoid detection. ‘BRATA… removes antivirus apps installed on the infected device’ and ‘downloader to avoid being detected by antivirus solutions.’