Openhunting Threat Library

Brata

Brata, AmexTroll
(Type: Banking trojan, Info stealer, Credential stealer)

(Cleafy) The attack chain usually starts with a fake SMS containing a link to a website. The SMS seems to come from the bank (the so-called spoofing scam), and it tries to convince the victim to download an anti-spam app, with the promise to be contacted soon by a bank operator.

[News Analysis] Trends:

Total Trend: 0

Trend Per Year


Trend Per Month



[News Analysis] News Mention Another Threat Name:



[TTP Analysis] Technique Performance:

reconnaissance
0/43
resource development
0/45
initial access
0/19
execution
1/36
persistence
1/113
privilege escalation
1/96
defense evasion
0/184
credential access
0/63
discovery
0/44
lateral movement
0/22
collection
0/37
command and control
0/39
exfiltration
0/18
impact
0/26


[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1053.002
Scheduled Task/job : At
T1053.002
Scheduled Task/job : At
T1053.002
Scheduled Task/job : At


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
192.227.134.72:4432022-08-14
Domain Timestamp
nazi-ziba.tk2022-08-14
new-acc.cf2022-08-14
new-acc.ga2022-08-14
publiveum.ga2022-08-14
publiveum.gq2022-08-14
publiveum.ml2022-08-16
sahaamdar.tk2022-08-14
saham-daraen.tk2022-08-14
saham-edalat-t.tk2022-08-14
samaneha-sahaeam.tk2022-08-14
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

Basic Information (Credit @etda.or.th)

Tool: Brata

Names: Brata, AmexTroll

Description: (Cleafy) The attack chain usually starts with a fake SMS containing a link to a website. The SMS seems to come from the bank (the so-called spoofing scam), and it tries to convince the victim to download an anti-spam app, with the promise to be contacted soon by a bank operator.

Category: Malware

Type: Banking trojan, Info stealer, Credential stealer

Information: https://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again

Information: https://securelist.com/spying-android-rat-from-brazil-brata/92775/

Information: https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account

Information: https://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/apk.brata

Last-card-change: 2022-12-28

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

Indicators of Compromise (Credit @ThreatFox)

IP:PORT
  • 192.227.134.72:443
DOMAIN
  • nazi-ziba.tk
  • new-acc.cf
  • new-acc.ga
  • publiveum.ga
  • publiveum.gq
  • publiveum.ml
  • sahaamdar.tk
  • saham-daraen.tk
  • saham-edalat-t.tk
  • samaneha-sahaeam.tk
  • umlive.gq
  • umlive.ml
  • wuiwidudiei.tk
  • drsazihstdie.tk
  • eblagh-markaz.tk
  • edalatum.gq
  • edalatum.tk
  • kisiremot.ga
  • kisiremot.ml
  • kisiremot.tk
  • kospedarpari.gq
  • liveum.ga
  • medive.ga
  • myumlive.cf
  • myumlive.ml

TTP Info (Credit @Mitre)

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1053.002
SCHEDULED TASK/JOB : AT
at can be used to schedule a task on a system to be executed at a specific date or time.
T1053.002
SCHEDULED TASK/JOB : AT
at can be used to schedule a task on a system to be executed at a specific date or time.
T1053.002
SCHEDULED TASK/JOB : AT
at can be used to schedule a task on a system to be executed at a specific date or time.