According to reports from the Italian cyber security company Cleafy, the modus operandi of BRATA (acronym for "Brazilian Remote Access Tool Android") is now part of an APT activity model, which stands for "Advanced Persistent Threat". This terminology is used to describe an attack campaign in which cybercriminals establish a long-term presence on a targeted network to steal sensitive information.
First spotted in the "distant" 2018, BRATA malware has evolved over time to come back on multiple occasions, changing attack modes and improving to what it is now: a dangerous threat to accounts and banking and financial apps. The attack takes place one app at a time through malicious apps that impersonate the login page to steal credentials (similar to how it happens for a classic phishing), access SMS and sideload a payload ( “Unrar.jar“) from a remote server to log events.
The ability to get their hands on credentials and SMS makes it particularly treacherous, as it would allow malware to bypass even two-factor authentication. Furthermore, Clearfy claims to have found an example of a separate package ("SMSAppSicura.apk") that uses the same command and control infrastructure to steal SMS messages and aim for the same purpose: "cheat" 2FA authentication. As you can see from the screenshots, the latter is also widespread in Italy.
The first campaigns were distributed via fake antivirus apps or other common malicious apps, while now the BRATA malware has evolved to attack customers of specific Italian banks and not more efficiently. This type of APT attack focuses on a bank or financial institution for a few months, then moves on to the next: this is the most recent trend that needs to be paid close attention.
Written by Matteo with love from Italy