top of page

New Banking Trojan BBTok Targets 40+ Latin American Banks

An intensive malware operation in Latin America is spreading a new banking trojan named BBTok, especially in Brazil and Mexico.

"The BBTok banker has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian banks, and tricks victims into entering its 2FA code to their bank accounts or payment card number," Check Point reported this week.

A proprietary server-side PowerShell script generates payloads that are unique for each victim based on operating system and country and sent via phishing emails with multiple file kinds.

Windows-based banking trojan BBTok debuted in 2020. As a trojan, it can enumerate and kill processes, issue remote commands, control keyboards, and serve false login pages for banks in the two nations.

Simple attack chains use fake links or ZIP file attachments to silently deploy the malware from a remote server (216.250.251[.]196) while showing the victim a decoy document.


They also vary for Windows 7 and Windows 10, largely to avoid new detection methods like Antimalware Scan Interface (AMSI), which scans the PC for threats.

Living-off-the-land binaries (LOLBins) and geofencing checks to ensure that the targets are exclusively from Brazil or Mexico before serving the malware via PowerShell are other ways to hide.

BBTok connects to a remote server to accept commands to replicate bank security verification pages.

Impersonating Latin American bank interfaces to steal user credentials and authentication information for online bank account takeovers.

"What's notable is the operator's cautious approach: all banking activities are only executed by direct C2 server command, not automatically on every infected system," the business added.

Check Point found that the malware's concealment and targeting had improved since 2020, reaching beyond Mexican banks. Spanish and Portuguese in source code and phishing emails indicate the perpetrators' origin.

A SQLite database in the server hosting the payload generating component that tracks access to the malicious programme suggests more than 150 BBTok infections.

The targeting and wording suggest the threat actors are from Brazil, the epicentre of powerful financial malware.

According to Check Point, "BBTok has been able to remain under the radar due to its elusive techniques and targeting victims only in Mexico and Brazil, it's evident that it is still actively deployed."

"It still threatens regional organisations and individuals due to its many capabilities and creative delivery method using LNK files, SMB, and MSBuild."

The Israeli cybersecurity company revealed a new large-scale phishing effort that targeted over 40 important Colombian companies across several industries to deploy the Remcos RAT via a multi-stage infection sequence.

Remcos, a sophisticated 'Swiss Army Knife' RAT, gives attackers full control over the compromised machine and can be utilised in many attacks. Check Point stated Remcos infections can cause data theft, follow-up infections, and account takeover.

17 views0 comments


bottom of page