The Latin American region, particularly Brazil and Mexico, is currently under attack from an active malware campaign that is distributing a new variant of the banking trojan BBTok. This trojan is designed to replicate the interfaces of over 40 banks in these countries, tricking victims into providing their 2FA codes or payment card numbers. The malware is distributed through phishing emails using various file types.
BBTok is a Windows-based banking trojan that first emerged in 2020. It comes with a range of features typical for trojans, enabling it to perform tasks like process enumeration and termination, remote commands execution, keyboard manipulation, and displaying fake login pages for banks in Brazil and Mexico.
The attack method involves using fake links or ZIP file attachments to deploy the trojan from a remote server, while displaying a decoy document to the victim. It's worth noting that the attack strategies are tailored for both Windows 7 and Windows 10 systems, making efforts to evade detection mechanisms like Antimalware Scan Interface (AMSI).
The trojan also employs techniques like using "living-off-the-land binaries" (LOLBins) and geofencing checks to ensure that targets are specifically from Brazil or Mexico before executing the malware via a PowerShell script.
Once activated, BBTok establishes connections with a remote server to receive commands and simulate security verification pages for various banks. By mimicking the interfaces of Latin American banks, the goal is to steal the user's login credentials and authentication information for account takeovers.
Interestingly, the operator exercises caution, executing banking activities only upon direct command from its command-and-control server, and not automatically on every infected system.
Check Point's analysis indicates that BBTok has evolved significantly since its emergence in 2020, expanding its scope beyond Mexican banks. The presence of Spanish and Portuguese languages in the source code and phishing emails suggests the likely origin of the attackers.
It's estimated that over 150 users have been infected by BBTok, based on an SQLite database discovered in the server hosting the payload generation component, which records access to the malicious application.
Given its capabilities and unique delivery methods, BBTok still poses a threat to organizations and individuals in the region, despite its relatively low profile.
This development coincides with an incident reported by an Israeli cybersecurity company, detailing a large-scale phishing campaign targeting over 40 prominent companies in Colombia. The ultimate aim was to deploy the Remcos RAT through a multi-stage infection sequence. The Remcos RAT provides attackers with full control over the infected computer and can be used for various types of attacks, including data theft, follow-up infections, and account takeovers.
