New BBTok Banking Malware Server-Side Software


Banking malware is a malicious program that is mainly designed and used by threat actors to steal the following sensitive financial information from victims’ computers or mobile devices:-

  • Login credentials
  • Banking details

These malware variants can be highly sophisticated, employing the following advanced techniques:-

Cybersecurity analysts at Check Point Research recently found an active BBTok banker campaign in Latin America with unique LOLBin infection chains, targeting users in Brazil and Mexico.

BBTok Banking Malware

BBTok Banker was initially unveiled in 2020 and entered Latin America via:-

  • Fileless attacks
  • Featuring process control
  • Clipboard manipulation
  • Fake login pages

The operators of BBTok have evolved with several new TTPs, shifting from email attachments to phishing links for initial infections.

BBTok offers operators remote control and simulates interfaces for 40+ banks in Mexico and Brazil, identifying victims by scanning browser tabs.

New BBTok Banking Malware Server-Side Software
Fake interfaces (Source – Check Point)

The banker defaults to mimicking BBVA, luring users into sharing personal and financial info, especially 2FA codes for account takeover.

This banking malware is coded in Delphi and uses VCL to create custom fake interfaces that match victim screens and bank forms. Besides this, BBTok also seeks Bitcoin-related data on infected machines.

For effective management of the campaigns, the operators of BBTok use a unique flow starting with a victim clicking a malicious link, triggering a tailored payload download.

New BBTok Banking Malware Server-Side Software
Server-side components used (Source – Check Point)

Payloads obfuscated with Add-PoshObfuscation, found via a hackforums[.]net post by user ‘Qismon’ in August 2021, offering AMSI bypass and PoshObfuscation code.

New BBTok Banking Malware Server-Side Software
Shared Add-PoshObfuscation() code (Source – Check Point)

There are two variations of the infection chain, and both infection chains use DLLs with similar names (Trammy, Gammy, Brammy, Kammy). 

Kammy is an obfuscated, geofenced version of BBTok’s loader, leading to the banker payload and additional software.

Here below, we have mentioned the infection chains:-

New BBTok Banking Malware Server-Side Software
Windows 7 Infection Chain (Source – Check Point)
New BBTok Banking Malware Server-Side Software
Windows 10 Infection Chain (Source – Check Point)

The server-side analysis reveals recent campaigns through the links from the threat actors’ perspective SQLite database, with more than 150 unique entries matching db.php table headers.

Portuguese comments in the hidden server code strongly suggest Brazilian threat actors, known for their active banking malware ecosystem.

New BBTok Banking Malware Server-Side Software
Attack region (Source – Check Point)

BBTok, active in Mexico and Brazil, remains elusive with creative techniques and delivery via LNK files, SMB, and MSBuild. Security researchers need to adapt like threat actors to stay protected.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.





Source link