An active malware campaign targeting Latin America is dispensing a new variant of a banking trojan called BBTok, particularly users in Brazil and Mexico.
"The BBTok banker has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian banks, and tricks the victims into entering its 2FA code to their bank accounts or into entering their payment card number," Check Point You must be logged in to see this link. in research published this week.
The payloads are generated by a custom server-side PowerShell script and are unique for each victim based on the operating system and country, while being delivered via phishing emails that leverage a variety of file types.
BBTok is a Windows-based banking malware that You must be logged in to see this link. in 2020. It's equipped with features that run the typical trojan gamut, allowing it to enumerate and kill processes, issue remote commands, manipulate keyboard, and serve fake login pages for banks operating in the two countries.
The attack chains themselves are fairly straightforward, employing bogus links or ZIP file attachments to stealthily deploy the banker retrieved from a remote server (216.250.251[.]196) while displaying a decoy document to the victim.
But they are also diversified for both Windows 7 and Windows 10 systems, mainly taking steps to evade newly implemented detection mechanisms such as Antimalware Scan Interface (You must be logged in to see this link.) that allows for scanning the machine for any threats.
Two other key methods to fly under the radar are the use of living-off-the-land binaries (LOLBins) and geofencing checks to ensure that the targets are only from Brazil or Mexico before serving the malware via the PowerShell script.
Once launched, BBTok establishes connections with a remote server to receive commands to simulate the security verification pages for various banks.
In impersonating the interfaces of Latin American banks, the goal is to harvest credential and authentication information entered by the users to conduct account takeovers of the online bank accounts.
"The BBTok banker has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian banks, and tricks the victims into entering its 2FA code to their bank accounts or into entering their payment card number," Check Point You must be logged in to see this link. in research published this week.
The payloads are generated by a custom server-side PowerShell script and are unique for each victim based on the operating system and country, while being delivered via phishing emails that leverage a variety of file types.
BBTok is a Windows-based banking malware that You must be logged in to see this link. in 2020. It's equipped with features that run the typical trojan gamut, allowing it to enumerate and kill processes, issue remote commands, manipulate keyboard, and serve fake login pages for banks operating in the two countries.
The attack chains themselves are fairly straightforward, employing bogus links or ZIP file attachments to stealthily deploy the banker retrieved from a remote server (216.250.251[.]196) while displaying a decoy document to the victim.
But they are also diversified for both Windows 7 and Windows 10 systems, mainly taking steps to evade newly implemented detection mechanisms such as Antimalware Scan Interface (You must be logged in to see this link.) that allows for scanning the machine for any threats.
Two other key methods to fly under the radar are the use of living-off-the-land binaries (LOLBins) and geofencing checks to ensure that the targets are only from Brazil or Mexico before serving the malware via the PowerShell script.
Once launched, BBTok establishes connections with a remote server to receive commands to simulate the security verification pages for various banks.
In impersonating the interfaces of Latin American banks, the goal is to harvest credential and authentication information entered by the users to conduct account takeovers of the online bank accounts.