Friday, February 23

BRATA malware evolves: here’s what you need to know | Digital Trends Spanish

BRATA is malware, that is, malicious software designed to carry out bank fraud, which was discovered in 2019 by the specialized company Kaspersky. The point is that it has not remained static, but has evolved with the purpose of doing more damage, as the team of cybersecurity experts at Cleafy.

The firm indicates that it was in June 2021 when it first detected a new variant of BRATA, while another began to circulate last December. So how many versions of the malware are there? How is it developing in terms of new goals and features?

You will be interested:

BRATA Evolution

Photo by Jonas Leupe on Unsplash

Cleafy talks about two new waves of BRATA samples. The first began in November 2021 and the second, in mid-December of the same year.

“Attackers started delivering some new custom BRATA variants in different countries (during the second wave), particularly against UK, Polish, Italian and Latin American banking clients, although we also detected some samples containing Spanish and Chinese strings. ”, specifies the company.

In this sense, the firm’s experts speak of three variants of the malware at the moment: BRATA.A, BRATA.B and BRATA.C.

The first is the most widespread in recent months and two new features are mainly recognized: GPS tracking of the victim’s device and the ability to perform a factory reset of the infected computer.

BRATA.B has the same features, however, “the main differences found are the partial obfuscation of the code and the use of custom overlay pages to steal the security number (or PIN) of the target banking application,” says Cleafy.

Regarding BRATA.C, it is composed of an initial dropper (malicious program) that is used to download and execute the malicious application later.

BRATA Effects

There are not a few new features that Cleafy mentions about the evolution of BRATA. The malware has its own custom methods to monitor other victims’ bank accounts and actions carried out on their mobile device. “Attackers will gain permissions from the Accessibility Service during the installation phases in order to observe the activities carried out by the victim and use the VNC module to retrieve private information that is displayed on the computer screen (such as account balance). banking and transaction history).

Regarding GPS tracking, analysts assume that malware creators request this permission for future development, probably to target people belonging to certain countries or to enable other takedown mechanisms.

Regarding the factory reset, it is executed in two cases: when a bank fraud has been successfully completed (thus the victim will lose more time before understanding that a malicious action occurred) and when the application is installed in a virtual environment (BRATA tries to avoid dynamic analysis by running this function).

Finally, the malware has the ability to use multiple communication channels (HTTP and PCP) between the device and the C2 server (the system that gives orders to infected computers) with the intention of maintaining a persistent connection.


Cleafy’s team believes that BRATA is trying to reach new goals and develop new features. “We were able to collect evidence and monitor how attackers are taking advantage of this banking Trojan to carry out fraud, typically through unauthorized bank transfers or instant payments, by using a vast network of mule accounts in various European countries,” they emphasize.

Thus, according to the findings of the investigations, they assert that the malware will continue undetected and developing new functions.

Publisher Recommendations