ISH Tecnologia, through its threat intelligence team, Heimdall presents some details about the operation of Brata RAT, a Remote Access Trojan (RAT) designed to target Android devices.
Brata RAT was identified in 2019, known as "Brazilian RAT for Android" and its purpose is to spy on infected devices, allowing the cybercriminal to monitor the screen of the victim's mobile device in real time.
As a way of spreading the word about how it works, the Brata RAT builder was analyzed and the new version (v5) of the builder was marketed on Telegram channels.
Marketing and new version
It can be seen that the new version obtained by ISH Tecnologia is being marketed through channels such as Telegram, being advertised for example as "BRATA Android RAT [2023]".
Figure 1 - Announcement of the sale of Brata RAT.
The sale of this builder has been seen on several Telegram channels, which advertise the sale of the tool for life for US$ 30 (thirty dollars), the equivalent of approximately R$ 150 (one hundred and fifty reais).
This version allows the attacker to control the infected mobile device remotely, supports up to Android version 13 and has some functions:
- Anti-kill;
- Anti-delete;
- Real-time monitor;
- Screen recording;
- Obtaining the accessibility feature automatically;
- Bypasses Google Play protection;
- Working with the Control Screen (VNC);
- Theft of MFA2 code from Google Authenticator;
- Ignores the Bank Application screen;
- Runs automatically at device startup;
- Obtains information from the device;
- Audio capture (microphone);
- Keylogger;
- Accesses the device's cameras;
- It has the option of ransomware for the device;
- Completely erases the device;
- And other functions.
Figure 2 - Announcement of the sale of Brata RAT on Telegram.
It is also sold through the official Telegram channel of the tool's developer, and it was noted that at the beginning of 2023, the tool was sold for 200 dollars.
Figure 3 - Conversation related to the sale of the RAT.
In March 2023, the tool's developer announced that the source code for the Brata RAT tool would be sold for US$2,000. He also claimed that he had stopped selling the RAT and would be developing other RATs, such as Hermit Spy, assuring users that it would be similar to the Pegasus RAT.
Figure 4 - Malicious actor selling the RAT source code.
It is possible to verify that another malicious actor had purchased a version of the Brata RAT from the developer and would be reselling the RAT for another amount, and for this reason the developer ended up describing this malicious agent as a possible counterfeiter, as well as indicating that buyers need to stay away from such profiles.
According to the developer, this actor would not be Brazilian, but Russian and would be living in Dubai.
Figure 5 - Dissatisfaction with other people making the sale.
In April, the sale of a new version of Brata RAT v5 was identified, adding features and access for iOS such as:
- SMS (sent and received);
- Archives;
- Screen display;
- Microphone;
- Change the wallpaper;
- Access to Safari;
- Turn on the flash light;
- iCloud Bypass;
- Password capture.
In addition to the features reported for iOS, the developer announced that there have also been updates to the Android version, incorporating functions and access:
- Screen control;
- Ghost mode;
- Freeze;
- Format;
- Archives;
- Location;
- SMS;
- Phone number;
- Phone information;
- Camera;
- Opening a link;
- Edit socket;
- PNG exploration;
- Contact;
- Calls;
- Unlock screen;
- Permissions Manager;
- Screen reader;
- Auto Clicker;
- Drawing on the screen;
- Disable applications;
- Microphone;
- Forms;
- Keyloggers;
- Accounts;
- Download the file;
- Ignore black screen security;
- All permissions are allowed automatically;
- Apk is completely undetectable.
Figure 6 - New version of Brata RAT announced, V5.
The Brata RAT version is being marketed at a price of US$1,000 (one thousand dollars) and payment is made using the digital currency Bitcoin.
After consulting the developer's Bitcoin wallet (disclosed by the developer), it is possible to see several transactions.
Figure 7 - Transactions made with the Btc portfolio.
At the time of writing, no transactions have been identified for the purchase of the new Brata RAT v5 version via the wallet address offered by the malicious actor.
Analysis of version 4
Next, we analyzed the version obtained from Brata RAT, looking at the control panel for creating new artifacts, i.e. creating new files for Android (.apk).
The builder displays a screen where you can check the status of devices that have been infected, as well as the option to create new malicious files.
Figure 8 - Panel created to manage the RAT.
When you select to create a malicious file, you can see that there is the potential to create extremely customized files, where you can add the client name, app name, package name, app version, icon and other possibilities.
Figure 9 - Panel for creating new malicious payloads.
As an example, let's create an application to check the effectiveness of the builder, and then analyze the APK to see which permissions are requested.
Figure 10 - Filling in the test for creating a malicious .apk.
Once the file has been created, you can see all the characteristics adopted to create the artifact.
| File name: | Test.apk |
| Size | 0.68 MB |
| MD5 | e2c033fc57f008c4f0600e090d36017f |
| SHA1 | 5d88d4988bc93c2270e231c2f909d5607e144965 |
| SHA256 | 0712e7c7fe3c0692a1bd8a1926dbc1de50650966adffb091a19a49e0e4f8b04c |
| AppName | testtest |
| Package Name | Com.brata.rat |
| Android Version Name | 1.4.5.1 |
It is also possible to check the malicious functions used by this malware. Here are their explanations:
| android.permission.ACCESS_COARSE_LOCATION | Allow the application to access the approximate location of the device based on nearby cell towers or Wi-Fi networks. |
| android.permission.ACCESS_FINE_LOCATION | Allow the application to access the precise location of the user's device, using GPS, cell tower triangulation and Wi-Fi. |
| android.permission.CALL_PHONE | Allow the application to make phone calls directly from the user's device, without the need for the user to dial the number. |
| android.permission.CAMERA | Permission for the application to access the user's device camera to take photos or record videos. |
| android.permission.GET_ACCOUNTS | Permission for the application to access the accounts registered on the user's device, including accounts from Google and other providers. |
| android.permission.READ_CALL_LOG | Allows the application to access the user's device call log, including information on incoming, outgoing and missed calls. |
| android.permission.READ_CONTACTS | Allows the application to access the contacts registered on the user's device, including name information, phone number, e-mail addresses and other information. |
| android.permission.READ_EXTERNAL_STORAGE | Allows the application to read files stored on the external storage of the user's device, such as the SD card. |
| android.permission.READ_PHONE_STATE | Allows the application to access information about the phone status of the user's device, including IMEI, phone number, network operator, type of network connection and other status information. |
| android.permission.READ_SMS | Allows the application to access SMS messages stored on the user's device. |
| android.permission.RECORD_AUDIO | Allows the application to record audio using the microphone on the user's device. |
| android.permission.REQUEST_INSTALL_PACKAGES | Allows the application to prompt the user to install other applications. |
| android.permission.SYSTEM_ALERT_WINDOW | Allows the application to display floating windows over other windows or applications. |
| android.permission.WRITE_EXTERNAL_STORAGE | Allows the application to write data to external storage, such as an SD card, on the user's device. |
Once the artifact has been analyzed in a controlled environment, it can be seen that the user is asked to access various types of services and permissions, which must be authorized by the user in order for the malicious APK to operate.
Figure 11 - Permissions requested by the RAT.
Once the user has installed the RAT, the malicious actor can extract data and store it in folders, separating it according to the infected device.
Figure 12 - Example of folders created due to remote connection.
For example, there is the log related to applications installed on the device, with a list identifying the name of the application, the type of user, App ID and installation date.
Figure 13 - Information extracted regarding the device's applications.
You can view call logs with the date, originating number and duration of the call.
Figure 14 - Information extracted about calls made on the device.
It also displays the following device information:
Figure 15 - Information collected about the device.
In addition to the above, the malicious actor will be able to extract passwords stored on the device, such as identifying Gmail passwords.
Figure 16 - Leak of application password and login data.
Therefore, it is possible to verify that the Brata RAT, even in its version 4, already has great offensive potential, as well as the version 5 already announced by the developer and owner of the tool. It is of the utmost importance that users maintain the principles and recommendations of security with their mobile devices, since every day criminal actors end up updating their arsenal, presenting new methods of evading defenses and improving functions.
Recommendations
In addition to the indicators of compromise listed below by the ISH, measures may be adopted to mitigate the infection of this malware, for example:
- Keep your device's software up to date: make sure that the operating system and all installed applications are always updated to the latest versions. Updates usually contain important security patches that can protect your device against malware.
- Only use official app stores: only download apps from official app stores, such as the Google Play Store for Android devices and the App Store for iOS devices.
- Beware of suspicious links and attachments: don't click on suspicious links or attachments in emails, text messages or social media, especially if they come from unknown senders.
- Use reliable antivirus software: install reliable antivirus software on your mobile device. These programs can protect your device from malware, as well as help remove existing malware.
- Disable unknown sources: on Android devices, disable the "Unknown sources" option in the settings, which prevents the installation of applications from untrusted sources.
- Use strong and different passwords: use strong and different passwords for all your app accounts and set up screen locking on your mobile device.
- Back up your data: regularly back up your important data so that you can recover it in the event of a malware infection or cyber attack.
References
- Heimdall by ISH Tecnologia