Bbtok

BBTok, a malware first detected in 2020, is an ongoing threat primarily targeting users of over 40 banks in Latin America. The Trojan's activities are concentrated in Brazil and Mexico, employing sophisticated multi-layered geo-fencing to ensure that only machines from these countries are infected. It was initially deployed through fileless attacks, but its distribution method has evolved significantly since then. BBTok is now typically disseminated via phishing emails with malicious attachments or links leading to the download of ZIP or ISO files containing LNK files that initiate the infection process. Since its initial detection, the operators' techniques, tactics, and procedures (TTPs) have been continually refined, adding additional layers of obfuscation and downloaders which result in low detection rates. A new technique observed includes embedding the DLL payload directly within downloaded ISO files, enhancing its evasion capabilities. Furthermore, BBTok uses legitimate Windows utility commands for further evasion, making it particularly challenging to detect and neutralize. BBTok poses a significant threat due to its advanced capabilities for credential theft and data exfiltration. It shares common geographical targets with another malware, Mekotio, such as Brazil, Chile, Mexico, and Argentina, but BBTok specifically narrows its focus to the financial sector within the Latin American region. Given its evolving tactics and targeted approach, BBTok remains a formidable cybersecurity challenge in Latin America.