A new variant of a banking Trojan is currently targeting hundreds of banking customers in Latin America. This variant replicates the interfaces of over 40 Mexican and Brazilian banks in order to trick victims into giving up their two-factor authentication (2FA) and payment-card details. The goal of the attackers is to hijack the victims’ bank accounts and gain unauthorized access.
According to researchers from Check Point Software, the campaign is actively spreading a variant of the BBTok banking malware through phishing attacks. The initial infection vector is through phishing links, rather than attachments. The attackers behind the campaign are using advanced obfuscation techniques and diversified infection chains for different versions of Windows to increase the scope of their attacks. They utilize Living off the Land Binaries (LOLBins), resulting in low detection rates.
The distribution of BBTok through phishing links and the use of advanced geofencing techniques demonstrate an evolution in the tactics of the attackers. They want to ensure that their victims are located only in Brazil and Mexico, making their attacks more targeted and effective. The most distinctive feature of this campaign is the use of fake interfaces for more than 40 banks in Mexico and Brazil. These interfaces are so convincing that unsuspecting users are tricked into divulging personal and financial details, including the security code/token number for their bank account. This allows the attackers to take over the victims’ bank accounts and potentially steal their funds.
BBTok has been active in Latin America since 2020, initially deployed through fileless attacks. The malware’s functionalities include enumerating and killing processes, keyboard and mouse control, and manipulating clipboard contents, along with classic banking Trojan features. The researchers discovered the latest variant and campaign by analyzing the server-side resources of the threat actors behind BBTok. These resources serve the malicious payloads distributed through phishing links. The attackers use sophisticated geofencing to ensure that the phishing messages are only received by victims located in Brazil and Mexico.
During their research, Check Point also found a database of more than 150 entries with victims’ information, confirming the success and ongoing nature of the operation. This highlights the need for increased vigilance and sophisticated security measures to protect against such attacks.
Phishing attacks can have various objectives, including malware delivery, money stealing, and credential theft. Detecting these scams requires careful attention from users. It is important to be suspicious of password-reset emails and to visit websites directly rather than clicking on embedded links. Additionally, users should be cautious of lookalike sites and should only share their credentials with websites that require them.
Other common social engineering techniques used in phishing attacks include fake order or delivery notices impersonating trusted brands, business email compromise (BEC) attacks that impersonate executives or individuals with authority, and messages requesting payment of an outstanding invoice. Users should always exercise caution and follow best practices to protect themselves from falling victim to these scams.
The recent findings regarding the latest BBTok variant and campaign highlight the sophistication of threat actors and the need for continuous vigilance to protect against evolving threats. By staying informed and implementing effective security measures, individuals and organizations can better safeguard their financial information and prevent unauthorized access to their accounts.