The spyware has been used to target people in Italy, Kazakhstan, and Syria, researchers at Google and Lookout have found.

In hearings this week, the notorious spyware vendor NSO group told European legislators that at least five EU countries have used its powerful Pegasus surveillance malware. But as ever more comes to light about the reality of how NSO's products have been abused around the world, researchers are also working to raise awareness that the surveillance-for-hire industry goes far beyond one company. On Thursday, Google's Threat Analysis Group and Project Zero vulnerability analysis team published findings about the iOS version of a spyware product attributed to the Italian developer RCS Labs.

Google researchers say they detected victims of the spyware in Italy and Kazakhstan on both Android and iOS devices. Last week, the security firm Lookout published findings about the Android version of the spyware, which it calls “Hermit” and also attributes to RCS Labs. Lookout notes that Italian officials used a version of the spyware during a 2019 anti-corruption probe. In addition to victims located in Italy and Kazakhstan, Lookout also found data indicating that an unidentified entity used the spyware for targeting in northeastern Syria.

“Google has been tracking the activities of commercial spyware vendors for years, and in that time we have seen the industry rapidly expand from a few vendors to an entire ecosystem,” TAG security engineer Clement Lecigne tells WIRED. “These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house. But there is little or no transparency into this industry, that's why it's critical to share information about these vendors and their capabilities.”

TAG says it currently tracks more than 30 spyware makers that offer an array of technical capabilities and levels of sophistication to government-backed clients.

In their analysis of the iOS version, Google researchers found that attackers distributed the iOS spyware using a fake app meant to look like the My Vodafone app from the popular international mobile carrier. In both Android and iOS attacks, attackers may have simply tricked targets into downloading what appeared to be a messaging app by distributing a malicious link for victims to click. But in some particularly dramatic cases of iOS targeting, Google found that attackers may have been working with local ISPs to cut off a specific user's mobile data connection, send them a malicious download link over SMS, and convince them to install the fake My Vodafone app over Wi-Fi with the promise that this would restore their cell service.

Attackers were able to distribute the malicious app because RCS Labs had registered with Apple's Enterprise Developer Program, apparently through a shell company called 3-1 Mobile SRL, to obtain a certificate that allows them to sideload apps without going through Apple's typical AppStore review process.

Apple tells WIRED that all of the known accounts and certificates associated with the spyware campaign have been revoked. 

“Enterprise certificates are meant only for internal use by a company, and are not intended for general app distribution, as they can be used to circumvent App Store and iOS protections,” the company wrote in an October report about sideloading. “Despite the program’s tight controls and limited scale, bad actors have found unauthorized ways of accessing it, for instance by purchasing enterprise certificates on the black market.”

Project Zero member Ian Beer conducted a technical analysis of the exploits used in the RCS Labs iOS malware. He notes that the spyware uses a total of six exploits to gain access to surveil a victim's device. While five are known and publicly circulating exploits for older iOS versions, the sixth was an unknown vulnerability at the time it was discovered. (Apple patched that vulnerability in December.) That exploit took advantage of structural changes in how data flows across Apple's new generations of “coprocessors” as the company, and the industry overall, moves toward the all-in-one “system-on-a-chip” design.

The exploit isn't unprecedented in its sophistication, but Google researchers note that the RCS Labs spyware reflects a broader trend in which the surveillance-for-hire industry combines existing hacking techniques and exploits with more novel elements to gain the upper hand. 

“The commercial surveillance industry benefits from and reuses research from the jailbreaking community. In this case, three out of six of the exploits are from public jailbreak exploits,” TAG member Benoit Sevens says. “We also see other surveillance vendors reusing techniques and infection vectors initially used and discovered by cyber crime groups. And like other attackers, surveillance vendors are not only using sophisticated exploits but are using social engineering attacks to lure their victims in.”

The research shows that while not all actors are as successful or well known as a company like NSO Group, many small and midsize players together in a burgeoning industry are creating real risk for internet users worldwide.

Google Warns of New Spyware Targeting iOS and Android Users

To prevent these attacks, businesses must have complete visibility into, and access and management over, disparate devices.

Most of the news about Internet of Things (IoT) attacks has been focused on botnets and cryptomining malware. However, these devices also offer an ideal target for staging more damaging attacks from inside a victim's network, similar to the methodology used by UNC3524. Described in a Mandiant report, UNC3524 is a clever new tactic that exploits the insecurity of network, IoT, and operational technology (OT) devices to achieve long-term persistence inside a network. This type of advanced persistent threat (APT) is likely to increase in the near future, so it's important for companies to understand the risks.

**A Critical Blind Spot**

Purpose-built IoT and OT devices that are network-connected and disallow the installation of endpoint security software can be easily compromised and used for a wide variety of malicious purposes.

One reason is that these devices are not monitored as closely as traditional IT devices. My company has found that more than 80% of organizations can't identify the majority of IoT and OT devices in their networks. There is also confusion about who is responsible for managing them. Is it IT, IT security, network operations, facilities, physical security, or a device vendor?

Consequently, unmanaged devices regularly have high- and critical-level vulnerabilities and lack firmware updates, hardening, and certificate validation. My company has analyzed millions of IoT, OT, and network devices that are deployed in large organizations, and we've found that 70% have vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 8 to 10. Further, we found, 50% use default passwords, and 25% are at end of life and no longer supported.

**Compromising and Maintaining Persistence on IoT, OT & Network Devices**

Taken collectively, all of these issues play directly into the hands of attackers. Because network, IoT, and OT devices don't support agent-based security software, attackers can install specially compiled malicious tools, modify accounts, and turn on services within these devices without being detected. They can then maintain persistence because vulnerabilities and credentials aren't being managed and firmware isn't being updated.

**Staging Attacks Within the Victim Environment**

Due to the low security and visibility of these devices, they are an ideal environment for staging secondary attacks on more valuable targets inside the victim's network.

To do this, an attacker will first get into the company's network through traditional approaches like phishing. Attackers can also gain access by targeting an Internet-facing IoT device such as a VoIP phone, smart printer, or camera system, or an OT system such as a building access control system. Since most of these devices use default passwords, this type of breach is often trivial to achieve.

Once on the network, the attacker will move laterally and stealthily to seek out other vulnerable, unmanaged IoT, OT, and network devices. Once those devices have been compromised, the attacker just needs to establish a communication tunnel between the compromised device and the attacker's environment at a remote location. In the case of UNC3524, attackers used a specialized version of Dropbear, which provides a client-server SSH tunnel and is compiled to operate on the Linux, Android, or BSD variants that are common on those devices.

At this point, the attacker can remotely control victim devices to go after IT, cloud, or other IoT, OT, and network device assets. The attacker will likely use ordinary, expected network communication such as API calls and device management protocols to avoid detection.

**Surviving Incident Response**

The same problems that make network, IoT, and OT devices an ideal place for staging secondary attacks also make them well-suited for surviving incident response efforts.

One of the main value propositions of IoT, in particular, for sophisticated adversaries is that the model significantly complicates incident response and remediation. It's very difficult to completely kill off attackers if they have established persistence on just one of the hundreds or thousands of vulnerable, unmanaged devices that reside in most business networks — even if the attacker's malware and toolkits are completely removed from the company's IT network, command-and-control channels are disrupted, software versions are updated to eliminate previously exploitable vulnerabilities, and individual endpoints are physically replaced.

**How to Reduce Corporate Risk**

The only way for businesses to prevent these attacks is to have complete visibility into, and access and management over, their disparate IoT, OT, and network devices.

The good news is that security at the device level is simple to achieve. While new vulnerabilities will constantly emerge, most of these security issues can be addressed through password, credential, and firmware management, as well as through basic device hardening. With that said, companies with large numbers of devices will be challenged to secure them manually, so companies should consider investing in automated solutions.

The first step companies should take is to create an inventory of all purpose-built devices and identify vulnerabilities. Next, companies should remediate risks at scale related to weak passwords, outdated firmware, extraneous services, expired certificates, and high- to critical-level vulnerabilities. Finally, organizations must continuously monitor these devices for environmental drift to ensure that what's fixed stays fixed.

These are the same basic steps companies follow for traditional IT assets. It's time to show the same level of care to IoT, OT, and network devices.

How APTs Are Achieving Persistence Through IoT, OT, and Network Devices

By Deeba Ahmed
The vulnerability existed in Jacuzzi Brand LLC’s SmartTub app web interface that could reveal users’ private data to…
This is a post from HackRead.com Read the original post: Flaws in Smart Jacuzzi App Could Be Exploited To Extract Users’ Data

****The vulnerability existed in Jacuzzi Brand LLC’s SmartTub app web interface that could reveal users’ private data to remote malicious attackers.****

Researchers have identified vulnerabilities in Jacuzzi Brand LLC’s SmartTub app web interface that can reveal private data to attackers.

Security researcher and ethical hacker Eaton Zveare (EatonWorks) has identified a security flaw in the SmartTub feature of the app used in the hot tubs manufactured by the world-renowned Jacuzzi Brand.

The flaw exists in the app’s web interface, and as per the researcher, it allows a threat actor to view and abuse the personal data of hot tub users. The issue has been patched now, but Zveare claims he wasn’t notified about the fixes. Moreover, he stated that Jacuzzi didn’t reply to his emails.

**About the SmartTub App**

SmartTub is a Jacuzzi app available for iOS and Android systems. It has a SmartTub feature that users can use to connect to the tub via a module remotely and receive status updates or accepts users’ commands for various tasks. Such as, it can automatically set the water temperature, turn on lights and water jet, etc. It isn’t clear whether the vulnerability impacted these functions.

**Attack Scenario Explained**

According to a blog post, Zveare first accessed the Smarttub.io app’s admin panel using the wrong credentials, which were initially not accepted. He was then redirected to a display page where he could view data from multiple Jacuzzi brands in the US and elsewhere.

> “Right before that message appeared, I saw a header and table briefly flash on my screen. Blink and you’d miss it. I had to use a screen recorder to capture it. I was surprised to discover it was an admin panel populated with user data. Glancing at the data, there is information for multiple brands, and not just from the US.”
> 
> Eaton Zveare

Furthermore, the app’s single-page-application (SPA) JavaScript bundle showed that usernames and passwords were sent to a third-party verification platform Auth0. Using the Fiddler tool, Zveare modified the HTTP response to masquerade in the admin status and obtain full access to the panel and a vast trove of data.

Hence, the issue identified was a poorly secured admin console in the web interface that allowed bypassing admin credentials.

**What was Data Exposed?**

The researcher claims that the bug could have exposed users’ first and last names, email addresses, and other sensitive data if abused. This issue could have impacted users all over the world.

According to Zveare, he could view details of “every spa,” check its owner, and remove their ownership. Furthermore, he could view user accounts and edit them as well. However, he didn’t test it as he feared the changes would be saved.

The researcher informed Jacuzzi Brands in early December, and the issue was resolved on 4 June.

**More IoT Vulnerability News**

*   Why Internet of Things is the world’s greatest cyber security threat
*   Bluetooth Signals Can Be Abused To Detect and Track Smartphones
*   Hackers attack Casino fish tank thermometer to obtain sensitive data
*   Hackers Can Disable House Arrest Ankle Bracelet without Raising Alert
*   Samsung Smart Refrigerator Hacked, Left Gmail Login Credentials Vulnerable

Flaws in Smart Jacuzzi App Could Be Exploited To Extract Users’ Data

Europol, the Belgian police, and the Dutch police, have apprehended members of a cybercriminal gang involved in phishing and other fraud.
The post Police seize and dismantle massive phishing operation appeared first on Malwarebytes Labs.

Europol has coordinated a joint operation to arrest members of a cybercrime gang and effectively dismantle their campaigns that netted million in Euros. This operation also led the Belgian Police (Police Fédérale/Federale Politie) and the Dutch Police (Politie) to nine arrests, 24 house searches, and the seizure of firearms, ammunition, jewelry, electronic devices, cash, and cryptocurrency.

The group was involved in fraud, money laundering, phishing, and scams.

According to a Europol press release, the group’s modus operandi started with an email, text message, or private message containing a link to a phishing page.

Once recipients opened the link, they would be directed to a bogus bank website. Here, they were encouraged to enter their banking credentials. Money mules then used these credentials to cash out millions in Euros from victim accounts.

On top of fraud, the group was also involved in drug and possible firearms trafficking.

“Europol facilitated the information exchange, the operational coordination and provided analytical support for investigation,” reads the press release, revealing law enforcement involvement in the arrest operation. “During the operation, Europol deployed three experts to the Netherlands to provide real-time analytical support to investigators on the ground, forensics and technical expertise.”

The takedown of this phishing operation came months after Europol shut down the FluBot Android operation and the seizure of RaidForums, a hacking forum.

Police seize and dismantle massive phishing operation

The cybersecurity community is buzzing with concerns of multichannel phishing attacks, particularly on smishing and business text compromise, as hackers turn to mobile to launch attacks.

As security conferences return to in-person venues, the cybersecurity community is buzzing with concerns over multichannel phishing attacks, with mobile phishing the biggest concern as hackers turn to mobile to launch smishing and business text compromise attacks.

By moving completely to the cloud, apps and browsers are all we need to communicate with work, family, and friends. While most of us are aware of the cybersecurity guardrails, we are not infallible. We can be lured into providing personal information and credentials or installing malicious apps that can undermine even the most sophisticated cybersecurity defenses. Our reliance on mobile devices with little or no protection from malicious attacks leaves personal and company data at risk.

Multichannel phishing attacks are on the rise, and more breaches are successful because hackers are delivering very targeted attacks on massive scales — powered by automation technology, taking advantage of human psychology, and exploiting our use of apps, browsers, and multiple communications channels.

Humans are the most strategic cybersecurity entry points into an organization because criminals can use psychology to fool us into overriding or undermining even the most sophisticated cybersecurity protection setups. And today's sophisticated attacks are essentially invisible to the human eye. Gone are the poorly spelled phishing emails of yesterday. Today's human hacking can fool even the most security-aware professional to follow a malicious URL or log in to an illegitimate site and expose data and a network. For the attacker, it's much more straightforward and a lower cost to attack a human than a network or a well-defended machine.

'Furthermore, our world — and the way we use technology — has been dramatically altered. This has further increased the danger of human hacking attacks. Post-pandemic, a large percentage of the workforce will continue to have some hybrid remote/office working arrangements — meaning that we're mixing our personal and professional worlds online more than ever. That opens us to more threats, especially when human hacking attacks are coming from legitimate infrastructure. We've turned to interacting through apps and working on browsers. Using collaboration channels like Zoom and Slack and doing nearly everything through our smartphones has opened more attack vectors.

Gone are the days when phishing emails were easily spotted due to low-quality logos, poor grammar, or just the totally unbelievable nature of the email. Now, attackers are well-equipped and very strategic about their attacks, and the believable SMS text or social media invite from a cybercriminal is far more dangerous.

Then, the sheer number of these channel users multiplies the risk equation for enterprises. Add to this the fact that attacks have evolved to the point where a single attack will use multiple channels to convince the users that they are legitimate. There is also the major issue of underestimating the risk of the human factor — today's attacks are simply impossible to detect with human-only views, assessments, and forensics.

**What to Watch For**

Now, especially as the browser is becoming the operating system of the enterprise, the number of channels for attack has increased. Browser extensions and plug-ins are available through very respected big brands, including Android and Apple, but they are not always safe. Also, browser search results can become embedded with attacks, attracting the attention of the user with something that they care about and are more likely to click on. And of course, common Microsoft 365 apps and enterprise productivity apps such as LinkedIn, Dropbox, and WhatsApp are open to phishing abuse.

Since human hacking is a unique problem, we need to focus on people in order to resolve it. Training people to recognize threats is important, but the attacks are too hard to spot by users for training employees to be cautious to be enough security. Asking people to forward suspicious requests to IT is a help but not a cure. There are simply too many convincing attacks coming in on all channels for IT to keep up with those that are forwarded.

There are better ways. One, recognize that cybercriminals are pointing attacks at the people inside organizations and then defend them — on every single digital channel. Two, take advantage of AI and machine learning to identify threats and then use that protection on endpoints in an organization's network — from employee smartphones to Zoom accounts.

In a world where we're trying to stay one step ahead of the hackers, it's time to adequately recognize the magnitude of the multichannel challenge on the horizon — and a new approach that bolsters the people who are under attack.  
**  
About the Author**

    

Patrick Harr is CEO of SlashNext, the authority in multichannel phishing and human hacking protection across email, Web, and mobile.

The Risk of Multichannel Phishing Is on the Horizon

Fake certificates could be used to bypass authentication controls

Fake certificates could be used to bypass authentication controls

  

A vulnerability in Parse Server software has led to the discovery of an authentication bypass impacting Apple Game Center.

Parse Server is an open source project available on GitHub that provides push notification functionality for iOS, macOS, Android, and tvOS.

The software is a backend system compatible with any infrastructure able to run Node.js, the Express web application framework, and can be operated independently or with existing web applications.

Read more of the latest Apple security news

According to a security advisory published on June 17, a bug in Parse Server versions before 4.10.11/5.0.0/5.2.2 caused a validation issue in Apple Game Center.

Apple calls the Game Center its ‘social gaming network’. The platform includes leaderboards and real-time multiplayer play.

**Bypassing authentication**

Tracked as CVE-2022-31083 and issued a CVSS severity score of 8.6, the security issue is described as a scenario in which the authentication adapter for Apple Game Center’s security certificate is not validated.

“As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object,” the advisory reads.

Attack complexity is considered low and no privileges are required.

A fix has been issued in Parse Server 4.10.11/5.2.2. A new rootCertificateUrl property has been implemented in the software’s Apple Game Center auth adapter, which “takes the URL to the root certificate of Apple’s Game Center authentication certificate”.

If developers have not set a value in the authentication system, the new property defaults to the URL of the root certificate in use by Apple.

There is no workaround available. Furthermore, the advisory notes that it is also an Apple ecosystem developer’s responsibility to keep the root certificate up to date while using the Parse Server Apple Game Center auth adapter.

Game Center will receive a revised dashboard look complete with friends’ activities in iOS 16, set for release later this year.

“Improper validation could allow attackers to bypass authentication, making the server vulnerable to simple remote attacks,” Jake Moore, global cybersecurity advisor at ESET, told The Daily Swig.

“It’s not often that Apple misses the mark on a security feature but without the requirement of authentication, this is a potentially dangerous and even an easy attack. The best way to avoid this threat would be to quickly patch devices with the latest update.”

The Daily Swig has reached out to Apple and we will update if we hear back.

RECOMMENDED GhostTouch: Hackers can reach your phone’s touchscreen without even touching it

Severe Parse Server bug impacts Apple Game Center

Europol on Tuesday announced the dismantling of an organized crime group that dabbled in phishing, fraud, scams, and money laundering activities.
The cross-border operation, which involved law enforcement authorities from Belgium and the Netherlands, saw the arrests of nine individuals in the Dutch nation.
The suspects are men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and

Europol on Tuesday announced the dismantling of an organized crime group that dabbled in phishing, fraud, scams, and money laundering activities.

The cross-border operation, which involved law enforcement authorities from Belgium and the Netherlands, saw the arrests of nine individuals in the Dutch nation.

The suspects are men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse and a 25-year-old woman from Deventer, according to a statement from the National Police Force.

Also confiscated as part of 24 house searches were firearms, ammunition, jewelry, designer clothing, expensive watches, electronic devices, tens of thousands of euros in cash, and cryptocurrency, the officials said.

"The criminal group contacted victims by email, text message and through mobile messaging applications," the agency noted. "These messages were sent by the members of the gang and contained a phishing link leading to a bogus banking website."

Unsuspecting who clicked on the link were tricked into entering their credentials that were subsequently stolen by the syndicate to fraudulently cash out several million euros from the victim's accounts with the help of money mules.

Additionally, some members of the group are said to have connections with drugs and possible firearms trafficking.

The bust comes less than a month after Europol, in collaboration with Australia, Belgium, Finland, Hungary, Ireland, Romania, Spain, Sweden, Switzerland, the Netherlands, and the U.S., took down the infrastructure associated with FluBot Android malware.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Europol Busts Phishing Gang Responsible for Millions in Losses

Comodo Antivirus 12.2.2.8012 has a quarantine flaw that allows privilege escalation. To escalate privilege, a low-privileged attacker can use an NTFS directory junction to restore a malicious DLL from quarantine into the System32 folder.

CVE-2022-34008: Download Free Antivirus Software | Get Complete PC Virus Protection

Iconic hot tub manufacturer addresses flaws that also apparently exposed numerous backend services

Iconic hot tub manufacturer addresses flaws that also apparently exposed numerous backend services

Vulnerabilities in the web interface of Jacuzzi’s SmartTub app could have enabled an attacker to view and potentially manipulate the personal data of hot tub owners, a security researcher claims.

As well as an Android or iOS app, SmartTub provides a module that sits within hot tubs providing status updates and fulfilling commands around setting water temperature, turning on water jets or lights, and so on – although there’s no suggestion this functionality was affected by the flaws.

Eaton Zveare managed to bypass Smarttub.io login pages to reach two admin panels intended for internal use only.

Read more of the latest internet of things security news

The issues have now been patched, although Zveare claimed he was not notified of the fixes, and that Jacuzzi failed to reply to most of his emails. Jacuzzi has yet to respond to our invitation to comment. We’ll update this article if and when they do.

According to the researcher, abuse of the vulnerabilities exposed first names, last names, and email addresses of users from around the world. In a technical write-up he warned: “It would be trivial to create a script to download all user information. It’s possible it’s already been done.”

**‘Staggering’**

The first admin panel was accessed after a login attempt using Zveare’s customer credentials returned an ‘unauthorized’ screen, but was briefly preceded – “blink and you’d miss it” – by a redirect to the admin panel captured with a screen recorder.

This security flaw fleetingly showed data related to multiple Jacuzzi brands in the US and beyond.

A JavaScript bundle for Smarttub.io’s single-page-application (SPA) revealed that usernames and passwords were sent to third-party authentication platform Auth0 for validation.

Zveare used the Fiddler tool to modify the HTTP response in order to masquerade in the admin role – giving him full access to the admin panel and a “staggering” amount of data.

“I could view the details of every spa, see its owner, and even remove their ownership”, he explained. “I could view every user account and even edit them”.

However, Zveare declined to risk testing “if any changes would actually save”.

**Backend services**

The login screen for the second admin console, while not Auth0-branded, “seemed” to accept his credentials but generated a JavaScript browser alert declining permission.

The corresponding JavaScript bundle featured the code for browser alert and check, and he noted that alongside the admin and user groups also visible on the first panel, the second panel featured admin tools and development groups.

DON’T MISS HID Mercury access control vulnerabilities leave door open to lock manipulation

With the help of Chrome Local Overrides functionality, the researcher loaded a modified JavaScript bundle file that forced , , and to return in all cases. “This way, I didn’t need to intercept the HTTP response each time to modify the groups,” said Zveare.

This revealed manufacturing logs, a serial number update section, and options to extend your cell (mobile) data subscription – “or shorten someone else’s” – and create, modify, and delete tub colors or models and licensed hot tub dealers.

**Fraught disclosure**

A lengthy disclosure process detailed by Zveare began with initial notification on December 3, which apparently failed to elicit a response.

Zveare sought Auth0’s help on January 4 and said the authentication vendor immediately reproduced the issue, contacted Jacuzzi, and discovered that the first admin panel had been shut down.

On June 4 he noticed the second admin panel had finally been secured and then disclosed the vulnerabilities on June 20.

“After multiple contact attempts through three different Jacuzzi/SmartTub email addresses and Twitter, a dialog was not established until Auth0 stepped in,” said Zveare.

“Even then, communication with Jacuzzi/SmartTub eventually dropped off completely, without any formal conclusion or acknowledgement they have addressed all reported issues.”

By contrast, the researcher thanked the Auth0 security team for helping out despite having no obligation to do so. “Without their assistance, this disclosure would probably have remained stalled,” he added.

RECOMMENDED Security researcher receives legal threat over patched Powertek data center vulnerabilities

Jacuzzi customer details could be exposed by SmartTub web bugs, claims researcher

The BRATA Android banking Trojan is evolving into a persistent threat with a new phishing technique and event-logging capabilities.

An Android-based banking Trojan known as BRATA (short for Brazilian RAT Android) has evolved to incorporate new phishing techniques and capabilities to acquire GPS, overlay, SMS, and device management permissions.  

The Italian mobile security company Cleafy reported in a blog post this week that these changes align with an advanced persistent threat (APT) pattern of activity.

"Threat actors behind BRATA now target a specific financial institution at a time, and change their focus only once the targeted victim starts to implement consistent countermeasures against them," the blog post explained. "Then, they move away from the spotlight, to come out with a different target and strategies of infections."

The new variant, which is targeting the EU region by posing as specific bank applications, can also now perform event logging through its ability to sideload a second-stage piece of malware from its command-and-control (C2) server.

**Ability to Bypass MFA**

The threat actors operating the new malware variant (BRATA.A) are also expanding their capabilities to include a methodology for potentially bypassing SMS-based multifactor authentication (MFA).

The updated phishing technique can mimic a targeted bank's login page, part of the group's strategy to acquire personal information to be used later for social-engineering purposes.

"Once installed, the pattern of the attack is similar to other SMS stealers," according to the blog post. "This consists in the malicious app asking the user to change the default messaging app with the malicious one to intercept all incoming messages."

Credential harvesting is common in banking Trojans and stealer malware, but bypassing MFA is a bit more complicated.

"This functionality, along with BRATA's ability to remain undetected for prolonged periods of time, could potentially classify the threat actors as an APT," says Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows.

**BRATA Actors Thinking About Future Development**

From the perspective of John Bambenek, principal threat hunter at Netenrich, the ability to request additional permissions on the device indicates what the attackers are thinking as far as future development.

"Not all the new features are actively collecting and transmitting data to the attacker, but future updates can change that," he says. "The actors are spending real effort to make sure they can maximize their success. Banks are constantly evolving, so attackers must do so also."

He adds that because mobile malware is typically still just an app, consumers can protect themselves by only installing apps from approved app stores and be wary when apps are asking for banking credentials.

"Financial institutions need to invest in behavioral analytics to detect stolen credential use against their online presence to prevent fraud against their consumers," Bambenek says.

In a statement provided to Dark Reading, the Cleafy Threat Intelligence team notes BRATA's evolution suggests the threat actors plan to diversify their business model, and consequently its income.

Cleafy's hypothesis is that BRATA is sold as malware-as-a-service (MaaS) to different groups, since the firm is tracking many variants of this malware hitting different countries across the globe.

"It has been observed that they started refactoring part of the malware, in order to tailor it according to the requests of their customers," the statement reads.

**Evolution of a Trojan**

In January, Cleafy discovered the group behind BRATA manipulating Android's factory reset to prevent victims from discovering or reporting and preventing illicit wire transfers. At that point, the malware campaigns were targeting Italian banks.

During the last year, BRATA was delivered through sideloading techniques, not through the official Google Play Store.

Cleafy recommends users pay particular attention to downloading apps from untrusted websites or whenever SMS is required to install an application.

"However, considering the Android 13 restriction for sideloaded apps, we do not exclude that in the future BRATA will be also delivered through official stores, like other famous malware have been trying to do in recent months (e.g. Sharkbot, Teabot etc.)," the statement continues.

Kaspersky first discovered BRATA in 2019 when it was simply spyware and targeted at users in Brazil.

Tag

#android