A recent discovery by Check Point has revealed an ongoing operation involving a variation of the BBTok banking malware in Latin America. This particular variation, which was first discovered in 2020, imitates the user interfaces of multiple Latin American banks.
The BBTok malware presents victims with fake interfaces that appear to be genuine banking portals for more than 40 prominent banks in Mexico and Brazil. These targeted banks include Citibank, Scotibank, Banco Itaú, and HSBC. The fraudulent interfaces are carefully designed to trick victims into revealing their personal and financial information, including their 2FA codes.
According to researchers, a custom server-side PowerShell script is responsible for creating specific payloads for each target. These payloads are distributed through phishing emails using various file formats. When the malicious link in the phishing messages is clicked, it downloads either a ZIP archive or an ISO image based on the victim’s operating system.
It’s worth noting that the attack methods differ between Windows 7 and Windows 10 systems and are designed to bypass security measures like the Antimalware Scan Interface (AMSI).
Upon examining the server-side element, Check Point discovered a database called “links.sqlite” which contains over 150 entries in Portuguese, indicating a high likelihood that the threat actors behind this operation are of Brazilian origin.
In conclusion, while BBTok has remained undetected due to its evasion capabilities and its focus on victims in Mexico and Brazil, it is still actively being used. With its various functionalities and unique delivery approach using LNK files, SMB, and MSBuild, it continues to pose a threat to both organizations and individuals in the region.
