A recent finding by Check Point has brought to light an ongoing operation involving a variant of the BBTok banking malware in Latin America. This particular variant, first unveiled back in 2020, imitates the user interfaces of tens of Latin American banks.
Diving into details
The BBTok malware presents victims with counterfeit interfaces that masquerade as authentic banking portals for more than 40 prominent banks in Mexico and Brazil.
- This roster of targeted banks comprises Citibank, Scotibank, Banco Itaú, and HSBC.
- These interfaces are carefully crafted to deceive victims into divulging their personal and financial details, including their 2FA codes.
Modus operandi
- As per the researchers, a custom server-side PowerShell script is responsible for creating distinct payloads tailored to each target.
- These payloads are distributed through phishing emails employing various file formats.
- The phishing messages contain a malicious link, when clicked, it downloads either a ZIP archive or an ISO image, contingent on the operating system running on the victim's device.
It's important to note that the attack strategies differ between Windows 7 and Windows 10 systems. They are carefully designed to bypass security measures like the Antimalware Scan Interface (AMSI).
Who’s behind the attack?
Upon examining the server-side element, Check Point found a database named "links.sqlite." This database contains over 150 distinct entries, each corresponding to the table headers established by "db.php." Notably, the content is in Portuguese, strongly indicating a high likelihood that the threat actors behind this are of Brazilian origin.
The bottom line
While BBTok has managed to avoid detection, owing to its detection evasion capabilities and its focus solely on victims in Mexico and Brazil, it's clear that it's still in active use. Given its numerous functionalities and distinctive and innovative delivery approach using LNK files, SMB, and MSBuild, it continues to pose a threat to both organizations and individuals in the region.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/7723_shutterstock_380478805.jpeg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_73098417_MEDIUM.jpg)
