S1094 BRATA
BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.312
| Item | Value |
|---|---|
| ID | S1094 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 18 December 2023 |
| Last Modified | 17 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | BRATA can use both HTTP and WebSockets to communicate with the C2 server.1 |
| mobile | T1532 | Archive Collected Data | BRATA has compressed data with the zlib library before exfiltration.1 |
| mobile | T1616 | Call Control | BRATA can hide incoming calls by setting ring volume to 0 and showing a blank screen overlay.2 |
| mobile | T1662 | Data Destruction | BRATA can perform a factory reset.1 |
| mobile | T1533 | Data from Local System | BRATA has collected account information from compromised devices.3 |
| mobile | T1641 | Data Manipulation | - |
| mobile | T1641.001 | Transmitted Data Manipulation | BRATA has injected string contents into the device clipboard.2 |
| mobile | T1407 | Download New Code at Runtime | BRATA has used an initial dropper to download an additional malicious application, and downloads its configuration file from the C2 server.12 |
| mobile | T1627 | Execution Guardrails | - |
| mobile | T1627.001 | Geofencing | BRATA has performed country and language checks.2 |
| mobile | T1646 | Exfiltration Over C2 Channel | BRATA has exfiltrated data to the C2 server using HTTP requests.1 |
| mobile | T1664 | Exploitation for Initial Access | BRATA has abused WhatsApp vulnerability CVE-2019-3568 to achieve initial access.3 |
| mobile | T1628 | Hide Artifacts | - |
| mobile | T1628.002 | User Evasion | BRATA can turn off or fake turning off the screen while performing malicious activities.3 |
| mobile | T1629 | Impair Defenses | - |
| mobile | T1629.003 | Disable or Modify Tools | BRATA can remove installed antivirus applications as well as disable Google Play Protect.12 |
| mobile | T1630 | Indicator Removal on Host | - |
| mobile | T1630.001 | Uninstall Malicious Application | BRATA can uninstall itself and remove traces of infection.32 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.001 | Keylogging | BRATA can log device keystrokes.312 |
| mobile | T1417.002 | GUI Input Capture | BRATA can use tailored overlay pages to steal PINs for banking applications.1 |
| mobile | T1516 | Input Injection | BRATA can insert a given string of text into a data field. BRATA can abuse the Accessibility Service to interact with other installed applications and inject screen taps to grant permissions.32 |
| mobile | T1430 | Location Tracking | BRATA can track the device’s location.1 |
| mobile | T1461 | Lockscreen Bypass | BRATA can request the user unlock the device, or remotely unlock the device.3 |
| mobile | T1655 | Masquerading | - |
| mobile | T1655.001 | Match Legitimate Name or Location | BRATA has masqueraded as legitimate WhatsApp updates and app security scanners.32 |
| mobile | T1406 | Obfuscated Files or Information | BRATA has employed code obfuscation and encryption of configuration files.12 |
| mobile | T1406.002 | Software Packing | BRATA has utilized commercial software packers.2 |
| mobile | T1660 | Phishing | BRATA has been distributed using phishing techniques, such as push notifications from compromised websites.3 |
| mobile | T1663 | Remote Access Software | BRATA can view a device through VNC.1 |
| mobile | T1513 | Screen Capture | BRATA can capture and send real-time screen output.32 |
| mobile | T1418 | Software Discovery | - |
| mobile | T1418.001 | Security Software Discovery | BRATA can search for specifically installed security applications.1 |
| mobile | T1426 | System Information Discovery | BRATA can retrieve Android system and hardware information.3 |
| mobile | T1633 | Virtualization/Sandbox Evasion | - |
| mobile | T1633.001 | System Checks | BRATA can check to see if it has been installed in a virtual environment.2 |
References
-
Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩