New variant of BBTok Trojan targets users of +40 banks in LATAM

A new variant of a banking trojan, called BBTok, targets users of over 40 banks in Latin America, particularly Brazil and Mexico.

Check Point researchers warn of a new variant of a banking trojan, called BBTok, that is targeting users of over 40 banks in Latin America.

The new malware campaign relies on new infection chains and employs a unique combination of Living off the Land Binaries (LOLBins). The campaign has a low detection rate even though BBTok first appeared in the threat landscape in 2020.

The researchers reported that BBTokis is mainly targeting users in Brazil and Mexico, employing multi-layered geo-fencing to avoid infecting systems from other countries.

“The BBTok banker has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian banks, and tricks the victims into entering its 2FA code to their bank accounts or into entering their payment card number.” reads the report published by Check Point. “The newly identified payloads are generated by a custom server-side application, responsible for generating unique payloads for each victim based on operating system and location.”

BBTok supports a wide set of capabilities, it allows operators to remotely execute commands and replicates the interfaces of multiple Latin American banks, including over 40 major banks in Mexico and Brazil. The list of targeted banks includes Citibank, Scotibank, Banco Itaú and HSBC.

The malware displays victims a fake interface posing as legitimate banks and that is designed to trick the users of the targeted banks into providing their personal and financial information, including 2FA codes.

BBTok is written in Delphi and uses the Visual Component Library (VCL) to dynamically generate interfaces.

The researchers reported that a custom server-side PowerShell script generates unique payloads for each victim. The payload is being delivered via phishing emails that use multiple file types.

The phishing messages include a malicious link. Upon clicking the link, it results in the download of either a ZIP archive or an ISO image, depending on the operating system of the victim’s machine. 

The attack chains are different for both Windows 7 and Windows 10 systems, they are devised to evade security measures such as Antimalware Scan Interface (AMSI).

“What’s notable is the operator’s cautious approach: all banking activities are only executed upon direct command from its C2 server, and are not automatically carried out on every infected system.” continues the report.

The analysis of the server-side component revealed the presence of the database “links.sqlite.” The database includes more than 150 unique entries (users infected by BBTok), each aligning with the table headers created by “db.php.” The content is in Portuguese, a circumstance that suggests that with a high probability the threat actors are Brazilians.

“Although BBTok has been able to remain under the radar due to its elusive techniques and targeting victims only in Mexico and Brazil, it’s evident that it is still actively deployed. Due to its many capabilities, and its unique and creative delivery method involving LNK files, SMB and MSBuild, it still poses a danger to organizations and individuals in the region.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BBTok)