A new malicious Android remote access tool (RAT) dubbed BRATA was observed by Kaspersky researchers while spreading via WhatsApp and SMS messages to infect and spy on Brazilian users.
The new RAT was named based on its 'Brazilian RAT Android' description by the Kaspersky Global Research & Analysis Team (GReAT) researchers who spotted it in the wild in January.
The RAT’s operators, however, appear to be restless as Fortinet researchers recently revealed that the threat is revived one more time in May 2016. This time, it’s going by the name JBifrost RAT. A Look into JBifrost Latest Campaign. The Fortinet team is certain that JBifrost is a rebranded Adwind RAT with a new GUI and a few new features. Aug 17, 2016 The RAT’s operators, however, appear to be restless as Fortinet researchers recently revealed that the threat is revived one more time in May 2016. This time, it’s going by the name JBifrost RAT. A Look into JBifrost Latest Campaign. The Fortinet team is certain that JBifrost is a rebranded Adwind RAT with a new GUI and a few new features. Bifrost RAT Of Evil 0.5Ev By NASeeR Download Doublecodes.blogspot.it - Every single product provided in this blog is clean. Snappy Driver Installer R1904 Driverpacks 19064 Jun 26 (2019) PC. 888 Rat (Pro) Android And computer Hacking Software Latest Version (v.1.0.9) Download Here: Today I am providing you free 888 rat premium cracked lastest version of the rat. By using this 888 rat pro undetectable rat you can hack any android or computer device for free port forwarding function, you will find complete latest 888 latest RAT pro full review, installation procedure, features of.
Until now, the researchers have discovered more than 20 unique BRATA variants in Android apps delivered via the Google Play Store, with some also having been found on unofficial Android app stores.
BRATA's operators have been using several infection vectors including push notifications sent via compromised websites, as well as 'messages delivered via WhatsApp or SMS, and sponsored links in Google searches.'
However, as the researchers further discovered, the vast majority of the BRATA variants spotted in the wild were camouflaged as updates for the highly popular WhatsApp app.
After being downloaded and executed, some of the fake updates would exploit the WhatsApp CVE-2019-3568 vulnerability to infect the Android devices of the targeted Brazilian users.
'Once a victim’s device is infected, 'BRATA' enables its keylogging feature, enhancing it with real-time streaming functionality,' found the researchers. 'It uses Android’s Accessibility Service feature to interact with other applications installed on the user’s device.'
Jbifrost Rat For Android Emulator
Among the capabilities that BRATA comes with, the RAT allows its operators to unlock their victims' devices, to collect device information, turn off the device's screen to surreptitiously run tasks in the background, and uninstall itself and removes any infection traces.
The Kaspersky researchers provide indicators of compromise (IOCs) for the BRATA RAT malware in the form of malware sample MD5 hashes at the end of their write-up.
RATs are a popular attack tool this month
Attackers have been using multiple RAT flavors to attack various types of targets this month alone, with government and financial entities being targeted with the Revenge and Orcus Remote Access Trojans, while a separate phishing campaign used fake resume attachments to deliver Quasar RAT payloads.
Last week, utility industry entities were attacked by threat actors with the Adwind RAT (also known as jRAT, AlienSpy, JSocket, and Sockrat).
Multiple entities from the Balkans were also targeted with a combo of new backdoor and RAT malware named BalkanDoor and BalkanRAT by ESET researchers who first spotted the attacks.
In Early August, a new exploit kit distributed via malvertising and dubbed Lord EK abused the PopCash ad network to drop an njRAT payload after exploiting an Adobe Flash use-after-free vulnerability.
A few days before. Proofpoint Threat Insight Team researchers reported the detection of a new RAT malware dubbed LookBack delivered via a spear-phishing campaign and attacking the employees of three U.S. utility industry entities.
Related Articles:
The Adwind Remote Access Trojan (RAT) is a popular Java-based backdoor capable of infecting Windows, Linux, Mac OS and Android operating systems. Its cross-platform nature, elaborate backdoor features, and relatively cheap price makes it a favourite choice for many cybercriminals today. Earlier this year, it was reported that Adwind was used in at least 443,000 attacks.
Adwind has rebranded itself multiple times in the past, using the names “Frutas,” “AlienSpy,” and “Unrecom,” to name a few. The most recent name it used was “Jsocket,” which was put in the spotlight when reports about it circulated last February. Shortly after, JSocket appears to have closed business:
Our intelligence suggests that the perpetrators behind Adwind and JSocket have simply rebranded the tool yet again, this time using the name “JBifrost”. This post will detail our findings.
JBifrost Website Overview
Similar to its predecessor, the JBifrost website hosts a marketplace and a community forum. Subscribers now need an invitation code to access the site:
The basic membership appears to be $45 USD per month, while renewal is $40 USD. This membership allows a subscriber to download the JBifrost RAT as well as a few other plugins.
In addition, JSocket previously accepted a variety of payment methods, including PerfectMoney, CoinPayments, Advcash, and EntroMoney. For this iteration, JBifrost only accepts Bitcoin as payment:
Additional tools, such as binders and downloaders, have separate prices:
As can be seen above, the JBifrost RAT has been downloaded 1,566 times as of this writing. This more or less represents the number of users actively using the RAT.
JBifrost’s website has the same professional feel as that of JSocket’s. It provides a forum and chat box where subscribers can find tutorials for using the RAT, as well as communicate any concerns regarding their service:
The website also provides a free file scanner to help its users make sure the RAT is not detected by anti-virus products:
When did JBifrost surface?
Based on JBifrost’s change log, the first version of the RAT was released on May 15, 2016 – three months after JSocket closed business:
The latest release states that it is running version “1.1.0”. Upon executing the JBifrost client, however, it downloaded an updated copy from its server with the version number “1.1.1”. The user interface looks as follows:
In fact, the above interface is simply an updated JSocket interface:
So, what’s the difference between JBifrost and JSocket?
RAT Updates
Based on our investigation, JBifrost includes only minor changes from its predecessor.
The current JBifrost client interface added two additional columns. One of these is a keyboard status flag that shows a green check mark if an infected user is actively using the keyboard. The other is a text column that displays the current window title of the victim:
A new module was also added to the RAT with the ID “eee.” This feature allows cybercriminals to intercept form data from Google Chrome:
A tab named “Misc” was also added to allow additional configuration for JBifrost servers:
Finally, a feature that binds JBifrost Android servers with a digital signature was added:
Conclusion
Jbifrost Rat Download For Android
Based on our findings, it is clear that Adwind perpetrators intend to stay in business by simply rebranding their RAT whenever they appear in the news. They do so by migrating their current subscribers’ accounts to a new website.
They also appear to be more cautious since their website is only accessible to invited users, and they are using Bitcoin as their only mode of payment.
As of this writing, we can confirm that JBifrost RAT is currently being utilized in active attacks, including attacks related to business email compromise (BEC) schemes. We will continue to monitor developments regarding this prominent RAT.
Fortinet detects Adwind servers, regardless of its current brand, as Java/Adwind variants.
-= FortiGuard Lion Team =-