December 3, 2023

Researchers have spotted the BRATA malware targeting a specific financial institution, its operators modified the attack chain customizing the malware to hit a specific target at a time, moving to a different bank after the victim begins implementing countermeasures.

The name BRAT comes from ‘Brazilian RAT Android,’ because at the time it was used to spy on Brazilian users.

Threat actors are modifying their code to tailor their malware on specific banking institutions. This code refractory is doing small changes compared to old versions of BRATA, as there are a bunch of classes that have been added for very specific purposes.


Last month, a new variant has been observed targeting entities in EU territory posing as specific bank applications. The new variants include new features that are used to impersonate the login page of the target financial institution to harvest credentials, access SMS messages, acquire GPS, and sideload a second-stage payload from a C2 server to log events.

The current version of the BRATA Android malware has introduced two new permissions inside the AndroidManifest file, the RECEIVE_SMS and SEND_SMS. These two permissions allow the operators to receive and read the victim’s sms while performing a phishing attack and takeover the victims’ account.

Researchers noticed the use of a specific package to siphon SMS messages, a circumstance that suggests that the BRATA operators are performing some test to improve their stealing capabilities.

This malicious app was developed to target users from Italy, Spain, and the UK. Once installed, the pattern of the attack is like other SMS stealers. This consists in the malicious app asking the user to change the default messaging app with the malicious one to intercept all incoming messages, typically used by banks in PSD2 area for sending authorization codes (2FA/OTP).

The first campaigns of malware initially in Italy in 2019 were distributed through fake antivirus or other common apps, while during the campaigns the malware is taking the turn of an APT attack against the customer of a specific Italian bank.

They usually focus on delivering malicious applications targeted to a specific bank for a couple of months, and then moving to another target.


This research was performed and documented by Cleafy labs

Indicators of Compromise

  • 1ae5fcbbd3d0e13192600ef05ba5640d
  • 69d3ce972e66635b238dc17e632474ec
  • 51[.]83[.]251[.]214
  • 51[.]83[.]225[.]224

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: