Verticals Targeted: Financial
Executive Summary
BBTok, written in Delphi, is a banking trojan that has been active since at least 2020. A new variant was recently observed targeting financial entities in Latin America.
Key Takeaways
- BBTok, written in Delphi, is a banking trojan that has been active since at least 2020.
- A new variant was recently observed targeting financial entities in Latin America.
- Payloads appear to be uniquely generated per victim.
What is BBTok?
Check Point Research recently reported on a new BBTok variant being used to target financial entities in Latin America, with targets primarily located in Brazil and Mexico. BBTok, written in Delphi, is a banking trojan that has been active since at least 2020. The original was deployed using fileless attacks.
Check Point Research noted the threat actor’s TTPs have evolved since 2020. The threat actors are now using new infection chains leveraging Living of the Land Binaries (LoLBins), along with other layers of obfuscation, allowing the malware to fly under the radar with low detection rates.
The threat actors are diversifying their infection chains for different versions of Windows and are using a variety of file types, including .ISO, .ZIP, .LNK, .DOCX, .JS, and .XLL in the infection chain. The threat actors have also leveraged open source code, code obtained from hacking forums, and 0day exploits, such as Follina, in the recent attacks.
Check Point Research noted the threat actors appeared to obtain initial access via phishing links that led to the delivery of malicious payloads. When the malicious link is accessed, a compressed archive file is downloaded to the victim machine. This file contains an .LNK file that kicks off the infection chain, opening a decoy document and deploying BBTok.
Payloads appear to be uniquely generated per victim. Additionally, the threat actors employed multi-layered geofencing to ensure only entities in specific countries were targeted in the attacks. The current BBTok variant has the ability to replicate the interfaces of more than 40 Mexican and Brazilian financial institutions. BBTok also includes functionality to trick victims into entering their 2FA codes or payment card numbers. Check Point Research found evidence that seems to suggest the threat actors may also intend to branch out into targeting cryptocurrency.
Check Point Research did not attribute the activity to a particular threat actor group, but based on server code comments in the Portuguese language, they assessed it is possible the threat actors are Brazilian.
IOCs
PolySwarm has multiple samples associated with this activity.
825a5c221cb8247831745d44b424954c99e9023843c96def6baf84ccb62e9e5f
9d91437a3bfd37f68cc3e2e2acfbbbbfffa3a73d8f3f466bc3751f48c6e1b40e
You can use the following CLI command to search for all BBTok samples in our portal:
$ polyswarm link list -f BBTok
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports