BBTok Banking Trojan Impersonates 40+ Banks to Hijack Victim Accounts

Threat actors are targeting hundreds of banking customers in Latin America with a new variant of an existing banking Trojan that replicates the interfaces of more than 40 Mexican and Brazilian banks. The campaign is aimed at tricking infected victims into giving up two-factor authentication (2FA) and/or payment-card details so attackers can hijack their bank accounts.

The active campaign — the initial infection vector of which is through phishing — is aimed at spreading a variant of the BBTok banking malware to victims in Mexico and Brazil, researchers from Check Point Software revealed in a blog post on Sept. 20.

The actors behind the campaign are maintaining diversified infection chains for different versions of Windows to widen the scope of the attacks, using "a unique combination of Living off the Land Binaries (LOLBins), resulting in low detection rates," the Check Point Team wrote in the post.

These advanced obfuscation techniques, the distribution of BBTok through phishing links rather than attachments, and advanced geofencing to ensure victims are located only in Brazil and Mexico all demonstrate an evolution in the tactics of the attackers distributing the malware, according to the researchers.

The campaign's most distinctive feature is its use of fake interfaces for more than 40 banks in Mexico and Brazil, which are so convincing that they "coax unsuspecting users into divulging personal and financial details, tricking the victim into entering the security code/ token number that serves as 2FA for [a] bank account," the Check Point Team wrote.

This ultimately allows attacks to take over the victim's bank account by using their credentials. In some cases, people even go so far as to enter their payment card number directly into the malicious interfaces, the researchers added.

Hallmarks of the Campaign

BBTok has been active as a banking malware in Latin America since 2020, with attackers first deploying it through fileless attacks. The malware's functionalities include enumerating and killing processes, keyboard and mouse control, and manipulating clipboard contents, along with classic banking Trojan features, according to Check Point.

The researchers identified the latest variant and campaign in part by analyzing server-side resources of the threat actors behind BBTok, which serve the malicious payloads that are distributed through phishing links. Attackers use multi-layered geofencing — a sophisticated targeting and evasion tactic — to ensure that victims that receive the phishing messages are only located in Brazil and Mexico, the researchers noted.

In fact, during its research, Check Point discovered a database of some BBTok malware victims in Mexico that included more than 150 entries with victims' information, confirming the success of the operation, which remains active.

Attackers' Sophistication Demands Vigilance

The recent findings regarding the latest BBTok variant and campaign expose once again how threat actors are constantly evolving threat tactics to steal banking and other credentials for financial gain, calling on users to be more sophisticated in their vigilance as well.

"Phishing attacks can have a number of different goals, including malware delivery, stealing money, and credential theft," according to Check Point. "However, most phishing scams designed to steal your personal information can be detected if you pay enough attention."

Key ways that people can do this so as not to fall victim to scams include to always be suspicious of password-reset emails, visiting websites directly rather than clicking on embedded links if prompted by a banking site to reset their password.

Check Point also reiterated some common ways that malicious actors try to convince people to share credentials, including lookalike sites like the ones used in the latest BBTok campaign, and scams in which attackers impersonate customer-support specialists from known companies like Microsoft or Apple. The researchers advised that people never share credentials with anyone outside of logging in directly to the websites that require them.

Finally, people should be aware of common social-engineering language used specifically to get people to ignore initial suspicions about a phishing email and go on to click a link or open an attachment against their better judgment.

Some common phishing techniques include fake order or delivery notices that impersonate trusted brands; business email compromise (BEC) attacks that impersonate an executive or someone with authority in an organization to fool employees into taking action that defrauds them financially; or messages requesting payment of an outstanding invoice as a way to get someone to transfer money to attackers or deliver malware via a malicious document.