BBTok Banking Malware

Banking malware is a malicious program that is mainly designed and used by threat actors to steal the following sensitive financial information from victims’ computers or mobile devices:-

  • Login credentials
  • Banking details

These malware variants can be highly sophisticated, employing the following advanced techniques:-

Cybersecurity analysts at Check Point Research recently found an active BBTok banker campaign in Latin America with unique LOLBin infection chains, targeting users in Brazil and Mexico.

BBTok Banking Malware

BBTok Banker was initially unveiled in 2020 and entered Latin America via:-

  • Fileless attacks
  • Featuring process control
  • Clipboard manipulation
  • Fake login pages

The operators of BBTok have evolved with several new TTPs, shifting from email attachments to phishing links for initial infections.

BBTok offers operators remote control and simulates interfaces for 40+ banks in Mexico and Brazil, identifying victims by scanning browser tabs.

Fake interfaces (Source – Check Point)

The banker defaults to mimicking BBVA, luring users into sharing personal and financial info, especially 2FA codes for account takeover.

This banking malware is coded in Delphi and uses VCL to create custom fake interfaces that match victim screens and bank forms. Besides this, BBTok also seeks Bitcoin-related data on infected machines.

For effective management of the campaigns, the operators of BBTok use a unique flow starting with a victim clicking a malicious link, triggering a tailored payload download.

Server-side components used (Source – Check Point)

Payloads obfuscated with Add-PoshObfuscation, found via a hackforums[.]net post by user ‘Qismon’ in August 2021, offering AMSI bypass and PoshObfuscation code.

Shared Add-PoshObfuscation() code (Source – Check Point)

There are two variations of the infection chain, and both infection chains use DLLs with similar names (Trammy, Gammy, Brammy, Kammy). 

Kammy is an obfuscated, geofenced version of BBTok’s loader, leading to the banker payload and additional software.

Here below, we have mentioned the infection chains:-

Windows 7 Infection Chain (Source – Check Point)
Windows 10 Infection Chain (Source – Check Point)

The server-side analysis reveals recent campaigns through the links from the threat actors’ perspective SQLite database, with more than 150 unique entries matching db.php table headers.

Portuguese comments in the hidden server code strongly suggest Brazilian threat actors, known for their active banking malware ecosystem.

Attack region (Source – Check Point)

BBTok, active in Mexico and Brazil, remains elusive with creative techniques and delivery via LNK files, SMB, and MSBuild. Security researchers need to adapt like threat actors to stay protected.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.