Site icon Check Point Blog

Check Point Research exposes new versions of the BBTok banking malware, which targets clients of over 40 Mexican and Brazilian banks

Highlights:

 

BBTok hits LATAM

Check Point Research recently discovered an active campaign operating and deploying a new variant of the BBTok banking malware in Latin America. In the research, we highlight newly discovered infection chains that uses a unique combination of Living off the Land Binaries (LOLBins), resulting in low detection rates, even though this BBTok banking malware has been operating  since 2020.

As we analyzed the campaign, we came across some of the threat actor’s server-side resources used in the attacks, targeting hundreds of users in Brazil and Mexico.

The server-side components are responsible for serving malicious payloads that were probably distributed through phishing links. We have observed numerous iterations of the same server-side scripts and configuration files which demonstrate the evolution of the BBTok banking malware deployment methods over time.

The evolution of BBTok

The BBTok banking malware, first revealed in 2020, was deployed in Latin America through fileless attacks. The banking malware has a wide set of functionalities, including enumerating and killing processes, keyboard and mouse control and manipulating clipboard contents. Alongside those, BBTok contains classic banking Trojan features, simulating fake login pages to a wide variety of banks operating in Mexico and Brazil.

Since it was first publicly disclosed, the BBTok operators have adopted new TTPs, all while still primarily utilizing phishing emails with attachments for the initial infection. Recently we have seen indications of the banking malware distributed through phishing links, and not as attachments to the email itself.

Since the last public reporting on BBTok in 2020, the operators’ techniques, tactics and procedures (TTPs) have evolved significantly, adding additional layers of obfuscation and downloaders, resulting in low detection rates.

BBTok continues being active, targeting users in Brazil and Mexico, employing multi-layered geo-fencing to ensure infected machines are from those countries only.

Multi-layered geo-fencing is a sophisticated approach to creating virtual boundaries or zones in geographic areas. It involves the use of multiple layers of these boundaries, each with its own set of specifications and criteria.

The BBTok banking malware has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian banks, and tricks the malware victims into entering their 2FA code to their bank accounts or into entering their payment card number. An analysis of the payload server-side code revealed the actors are actively maintaining diversified infection chains for different versions of Windows.

Posing as legitimate institutions, these fake interfaces coax unsuspecting users into divulging personal and financial details, tricking the victim into entering the security code/ token number that serves as 2FA for bank account and to conduct account takeovers of the victim’s bank account. In some cases, this capability also tricks the victim into entering their payment card number.

Figure 1 – Examples of fake interfaces embedded within the BBTok Banker

During the research, CPR were able to identify a database of some BBTok malware victims in Mexico, that contained over 150 entries with victims’ information:

Figure 2 – Database with victims information

Figure 3 – Geographical distribution of the victims within Mexico

Beware of online phishing attempts

Phishing attacks can have a number of different goals, including malware delivery, stealing money, and credential theft. However, most phishing scams designed to steal your personal information can be detected if you pay enough attention.

Here are a few phishing prevention tips to keep in mind:

1. Always be suspicious of password reset emails

Password reset emails are designed to help when you cannot recall the password for your account. By clicking on a link, you can reset the password to that account to something new. Not knowing your password is, of course, also the problem that cybercriminals face when trying to gain access to your online accounts. By sending a fake password reset email that directs you to a lookalike phishing site, they can convince you to type in your account credentials and send those to them. If you receive an unsolicited password reset email, always visit the website directly (do not click on embedded links) and change your password to something different on that site (and any other sites with the same password).

2. Never share your credentials

Credential theft is a common goal of cyberattacks. Many people reuse the same usernames and passwords across many different accounts, so stealing the credentials for a single account is likely to give an attacker access to a number of the user’s online accounts.

As a result, phishing attacks are designed to steal login credentials in various ways, such as:

3. Always note the language in the email

Social engineering techniques are designed to take advantage of human nature. This includes the fact that people are more likely to make mistakes when they’re in a hurry and are inclined to follow the orders of people in positions of authority.

Phishing attacks commonly use these techniques to convince their targets to ignore their potential suspicions about an email and click on a link or open an attachment. Some common phishing techniques include:

Protecting Against Phishing Attacks: To learn more about protecting your organization against phishing, contact us and check out our advanced anti-phishing solution.

Check Point Customers using Threat Emulation and Check Point Harmony Endpoint remain protected against the threat reported in this research

To get the full research visit https://research.checkpoint.com/

 

Exit mobile version