Banking malware is a malicious program that is mainly designed and used by threat actors to steal the following sensitive financial information from victims’ computers or mobile devices:-
- Login credentials
- Banking details
These malware variants can be highly sophisticated, employing the following advanced techniques:-
- Web injection
- Evasive mechanisms
Cybersecurity analysts at Check Point Research recently found an active BBTok banker campaign in Latin America with unique LOLBin infection chains, targeting users in Brazil and Mexico.
BBTok Banking Malware
BBTok Banker was initially unveiled in 2020 and entered Latin America via:-
- Fileless attacks
- Featuring process control
- Clipboard manipulation
- Fake login pages
The operators of BBTok have evolved with several new TTPs, shifting from email attachments to phishing links for initial infections.
BBTok offers operators remote control and simulates interfaces for 40+ banks in Mexico and Brazil, identifying victims by scanning browser tabs.
The banker defaults to mimicking BBVA, luring users into sharing personal and financial info, especially 2FA codes for account takeover.
This banking malware is coded in Delphi and uses VCL to create custom fake interfaces that match victim screens and bank forms. Besides this, BBTok also seeks Bitcoin-related data on infected machines.
For effective management of the campaigns, the operators of BBTok use a unique flow starting with a victim clicking a malicious link, triggering a tailored payload download.
Payloads obfuscated with Add-PoshObfuscation, found via a hackforums[.]net post by user ‘Qismon’ in August 2021, offering AMSI bypass and PoshObfuscation code.
There are two variations of the infection chain, and both infection chains use DLLs with similar names (Trammy, Gammy, Brammy, Kammy).
Kammy is an obfuscated, geofenced version of BBTok’s loader, leading to the banker payload and additional software.
Here below, we have mentioned the infection chains:-
The server-side analysis reveals recent campaigns through the links from the threat actors’ perspective SQLite database, with more than 150 unique entries matching db.php table headers.
Portuguese comments in the hidden server code strongly suggest Brazilian threat actors, known for their active banking malware ecosystem.
BBTok, active in Mexico and Brazil, remains elusive with creative techniques and delivery via LNK files, SMB, and MSBuild. Security researchers need to adapt like threat actors to stay protected.