Mobile banking fraud: BRATA strikes again

In the past year, we observed in the Cleafy platform a spike of Android RAT infections caused by the increase of Android Banking Trojan used to perform fraudulent activities, usually combined with smishing and social engineering attack patterns. Simultaneously, we noticed a decrease in SIM swap attacks, possibly related to the fact that they are less scalable than the widely used malware as a service (MaaS) pattern.

What makes Android RAT so interesting for attackers is its capability to operate directly on the victim devices instead of using a new device. By doing so, Threat Actors (TAs) can drastically reduce the possibility of being flagged "as suspicious", since the device's fingerprinting is already known to the bank.

In this report, we analyze the attack chain and the modus operandi used by Threat Actors, from the sending of the malicious SMS to the fraudulent transaction carried out through an app installed in the infected device.

Moreover, we highlight the main indicators to explain the attack chain used by these TAs:

• The malware campaign targets mainly one of the biggest Italian retail banks as well as other minor banks. However, we don't exclude that other local TAs might be using the same attack vector (BRATA) to carry over other malicious activities in other countries.
• Smishing and phishing attacks are used to distribute malicious apps and credentials harvesting.
• A new version of the BRATA malware is used to infect the device of the victims.
• A combination of both social engineering techniques and the complete control of the infected device is used by TAs to perform fraudulent transactions.

At the end of June 2021, the Cleafy Threat Intelligence and Incident Response team intercepted for the first time a new aggressive smishing campaign that was delivering multiple fake applications called “Sicurezza Dispositivo'' (or “AntiSPAM”'). The campaign targeted the customers of one of the biggest Italian retail banks.

‍

After the first wave, lasted from June to mid-September, the attack stopped for about a month.  In mid-October, our TIR team discovered that new samples called “Sicurezza Avanzata” were again in action and were targeting mainly the customers of three Italian banks. This time the malware was almost undetectable by antivirus solutions (as shown in Figure 3).

In June 2021, for the first time we detected on Cleafy’s dashboards a new variant of BRATA malware. After a couple of weeks, a customer reported to us some incidents related to the same campaign.

Thanks to an in-depth technical analysis of the Indicators of Compromise intercepted, we were able to reconstruct the detailed chain of events and the methodologies used by these Threat Actors to conduct bank frauds.

The attack chain usually starts with a fake SMS containing a link to a website. The SMS seems to come from the bank (the so-called spoofing scam), and it tries to convince the victim to download an anti-spam app, with the promise to be contacted soon by a bank operator.

In some cases, the link redirects the victim to a phishing page that looks like the bank’s, and it is used to steal credentials and other relevant information (e.g. fiscal code and security questions).

After the victim visits the website (only visible via mobile[1]) and downloads the malicious app, a fraud operator calls the victim and uses social engineering techniques to persuade the user to install the malicious app.

During the installation phases of the malware (Figure 9), multiple permissions are required to allow the attackers to perform fraudulent activities.

Once the malicious app is installed, the fraud operators can take control of the victim infected devices thanks to the abuse of the Accessibility services, the SMS permission, and the recording/casting module of the malware.

Through the malware installed on the victim device, Threat Actors can receive on their server the 2FA code sent by the bank and perform fraudulent transactions. Therefore, as we observed also in other scenarios, with the abuse of Accessibility Service and the screen recording, TAs can perform actions on the infected device with the help of social engineering used to persuade the victim.

As shown in Figure 11, we also intercepted multiple attempts of pin/otp validations stolen by TAs through the malicious app (or phishing website). This specific pattern was observed also in other past campaigns of mobile and workstation malware.

The mule accounts used by the BRATA malware campaign mainly come from Italy, as well as from Lithuania and the Netherlands, as shown in Figure 12. From this information, we assume that the TAs behind these campaigns could come from European countries unlike the previous BRATA malware campaign observed in Brazil in 2019.

[1] TAs used a legitimate open source project (https://github.com/serbanghita/Mobile-Detect) to detect if the website is opened with a mobile phone or a PC.

By analyzing the code of the malicious apps, it was possible to trace back the threat to the BRATA malware, a Brazilian malware discovered in 2019. However, these new samples present multiple differences compared to the previous one.

Several Portuguese/Brazilian logs embedded in the malicious app are shown to the victim in Italian. Our assumption is that, perhaps, the group responsible for maintaining the BRATA codebase, probably located in the LATAM area, is reselling this malware to other local groups. As a result, this threat is gradually expanding in several European countries.

Like other Android bankers previously appeared online (e.g., Teabot[2], Alien, Oscorp[3], etc.), this version of BRATA has RAT capabilities. The main difference resides in the implementation used to develop the malware: TAs used the b4a framework[4], already used by another Brazilian banker in 2019, called BasBanker. One of the reasons behind this choice is the possibility to import modules already designed by other developers. This characteristic may allow the TAs to speed up the implementation of new features or the malware itself.

The main functionalities of this new version of BRATA are not very different from other “famous” banking trojan:

• Intercept SMS messages and forward them to a C2 server. This feature is used to get 2FA sent by the bank via SMS during the login phase or to confirm money transactions.
• Screen recording and casting capabilities that allow the malware to capture any sensitive information displayed on the screen. This includes audio, passwords, payment information, photo, and messages (as shown in Figure 15). Through the Accessibility Service, the malware clicks the “start now” button (of the popup) automatically, so the victim is not able to deny the recording/casting of the owned device.
• Remove itself from the compromised device to reduce detection.
• Uninstall specific applications (e.g., antivirus).
• Hide its own icon app to be less traceable by not advanced users.
• Disable Google Play Protect to avoid being flagged by Google as suspicious app.
• Modify the device settings to get more privileges.
• Unlock the device if it is locked with a secret pin or pattern.
• Show phishing page.
• Abuse the accessibility service to read everything that is shown on the screen of the infected device or to simulate click on the screen. This information is then sent to the C2 server of the attackers.

[2] https://www.cleafy.com/cleafy-labs/teabot
[3] https://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution
[4] https://www.b4x.com/b4a.html

The Android Banking Trojan BRATA is already classified and blacklisted in our Threat Intelligence data with the following tags:

• ASK_BANKER_ANDROID_BRATA_V1
• ASK_BANKER_ANDROID_BRATA_V2

‍

Appendix 1: IOCs

‍

First campaign (June-mid September)

‍

Second campaign (October)

‍