Discover the BBTok Banking Trojan’s targeted malware campaign, impacting 40 Mexican and Brazilian banks. Stay vigilant against cybersecurity threats in Latin American banking.
A current malware operation aimed at Latin America is distributing a new variation of a banking trojan known as BBTok, mostly to users in Brazil and Mexico.
“The BBTok banker has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian banks, and tricks victims into entering its 2FA code to their bank accounts or into entering their payment card number,” Check Point claimed in a report released this week.
The payloads are produced using a bespoke server-side PowerShell script and are tailored to each victim’s operating system and country while being sent via phishing emails that use a range of file types.
BBTok is a banking virus for Windows that first appeared in 2020. It has normal trojan features, such as the ability to enumerate and kill processes, issue remote commands, manipulate the keyboard, and serve false login pages for banks in both countries.
The attack chains themselves are pretty simple, leveraging fraudulent links or ZIP file attachments to deploy the malware from a remote server (216.250.251[.]196) while showing a decoy document to the victim.
They are, however, diverse for both Windows 7 and Windows 10 systems, primarily taking steps to avoid newly introduced detection techniques such as Antimalware Scan Interface (AMSI), which allows for a scan of the machine for any threats.
The use of living-off-the-land binaries (LOLBins) and geofencing checks to guarantee that the targets are exclusively from Brazil or Mexico before feeding the malware via the PowerShell script are two more essential strategies for staying under the radar.
When BBTok is launched, it connects to a remote server to receive commands to replicate the security verification screens for multiple banks.
The purpose of imitating the interfaces of Latin American banks is to collect credential and authentication information submitted by users in order to undertake account takeovers of online bank accounts.
Also Read