securityaffairs.com
Open in
urlscan Pro
2606:4700:3031::ac43:8cd3
Public Scan
URL:
https://securityaffairs.com/151360/malware/bbtok-trojan-latam.html?_gl=1
Submission: On September 25 via api from TR — Scanned from DE
Submission: On September 25 via api from TR — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://securityaffairs.com
<form method="get" action="https://securityaffairs.com">
<input type="search" name="s" placeholder="Search.." class="site-search-field" value="">
<input type="submit" class="sm-icon">
</form><form class="comment">
<div class="row">
<div class="col-sm-12 col-md-6 col-lg-6">
<div class="mb-3">
<input type="name" name="cmnt_auth_name" class="form-control cmnt_auth_name" placeholder="Name">
</div>
</div>
<div class="col-sm-12 col-md-6 col-lg-6">
<div class="mb-3">
<input type="email" name="cmnt_auth_email" class="form-control cmnt_auth_email" placeholder="Email">
</div>
</div>
<div class="col-sm-12 col-md-12 col-lg-12">
<div class="mb-3">
<textarea name="cmnt_msg" class="form-control cmnt_msg" placeholder="Comments" rows="3"></textarea>
</div>
</div>
<div class="col-sm-12 col-md-12 col-lg-12">
<input class="cmnt_submit_btn btn btn-blue btn-inline btn-big" type="submit" name="cmnt_submit" value="Leave comment">
<input type="hidden" name="pid" class="pid" value="MTUxMzYw">
<input type="hidden" name="parentcommentid" class="parentcommentid" value="0">
</div>
</div>
</form>POST /151360/malware/bbtok-trojan-latam.html?_gl=1#wpcf7-f149934-p151360-o1
<form action="/151360/malware/bbtok-trojan-latam.html?_gl=1#wpcf7-f149934-p151360-o1" method="post" class="wpcf7-form init" aria-label="Contact form" novalidate="novalidate" data-status="init">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="149934">
<input type="hidden" name="_wpcf7_version" value="5.8">
<input type="hidden" name="_wpcf7_locale" value="en_US">
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f149934-p151360-o1">
<input type="hidden" name="_wpcf7_container_post" value="151360">
<input type="hidden" name="_wpcf7_posted_data_hash" value="">
</div>
<div class="form-field"><span class="wpcf7-form-control-wrap" data-name="your-email"><input size="40" class="wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email" autocomplete="email" aria-required="true"
aria-invalid="false" placeholder="Your email address" value="" type="email" name="your-email"></span><input class="wpcf7-form-control wpcf7-submit has-spinner" type="submit" value="SIGN UP"><span class="wpcf7-spinner"></span></div>
<div class="wpcf7-response-output" aria-hidden="true"></div>
</form>Text Content
WE VALUE YOUR PRIVACY We and our partners store and/or access information on a device, such as cookies and process personal data, such as unique identifiers and standard information sent by a device for personalised ads and content, ad and content measurement, and audience insights, as well as to develop and improve products. With your permission we and our partners may use precise geolocation data and identification through device scanning. You may click to consent to our and our 691 partners’ processing as described above. Alternatively you may access more detailed information and change your preferences before consenting or to refuse consenting. Please note that some processing of your personal data may not require your consent, but you have a right to object to such processing. Your preferences will apply to this website only. You can change your preferences at any time by returning to this site or visit our privacy policy. MORE OPTIONSAGREE * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * POLICIES * Contact me MUST READ Alert! Patch your TeamCity instance to avoid server hack | Is Gelsemium APT behind a targeted attack in Southeast Asian Government? | Nigerian National pleads guilty to participating in a millionaire BEC scheme | New variant of BBTok Trojan targets users of +40 banks in LATAM | Deadglyph, a very sophisticated and unknown backdoor targets the Middle East | Alphv group claims the hack of Clarion, a global manufacturer of audio and video equipment for cars | Security Affairs newsletter Round 438 by Pierluigi Paganini – International edition | National Student Clearinghouse data breach impacted approximately 900 US schools | Government of Bermuda blames Russian threat actors for the cyber attack | Recently patched Apple and Chrome zero-days exploited to infect devices in Egypt with Predator spyware | CISA adds Trend Micro Apex One and Worry-Free Business Security flaw to its Known Exploited Vulnerabilities catalog | Information of Air Canada employees exposed in recent cyberattack | Sandman APT targets telcos with LuaDream backdoor | Apple rolled out emergency updates to address 3 new actively exploited zero-day flaws | Ukrainian hackers are behind the Free Download Manager supply chain attack | Space and defense tech maker Exail Technologies exposes database access | Pro-Russia hacker group NoName launched a DDoS attack on Canadian airports causing severe disruptions | Experts found critical flaws in Nagios XI network monitoring software | The dark web drug marketplace PIILOPUOTI was dismantled by Finnish Customs | International Criminal Court hit with a cyber attack | GitLab addressed critical vulnerability CVE-2023-5009 | Trend Micro addresses actively exploited zero-day in Apex One and other security Products | ShroudedSnooper threat actors target telecom companies in the Middle East | Recent cyber attack is causing Clorox products shortage | Earth Lusca expands its arsenal with SprySOCKS Linux malware | Microsoft AI research division accidentally exposed 38TB of sensitive data | German intelligence warns cyberattacks could target liquefied natural gas (LNG) terminals | Deepfake and smishing. How hackers compromised the accounts of 27 Retool customers in the crypto industry | FBI hacker USDoD leaks highly sensitive TransUnion data | North Korea's Lazarus APT stole almost $240 million in crypto assets since June | Clop gang stolen data from major North Carolina hospitals | CardX released a data leak notification impacting their customers in Thailand | Security Affairs newsletter Round 437 by Pierluigi Paganini – International edition | TikTok fined €345M by Irish DPC for violating children’s privacy | Dariy Pankov, the NLBrute malware author, pleads guilty | Dangerous permissions detected in top Android health apps | Caesars Entertainment paid a ransom to avoid stolen data leaks | Free Download Manager backdoored to serve Linux malware for more than 3 years | Lockbit ransomware gang hit the Carthage Area Hospital and the Clayton-Hepburn Medical Center in New York | The iPhone of a Russian journalist was infected with the Pegasus spyware | Kubernetes flaws could lead to remote code execution on Windows endpoints | Threat actor leaks sensitive data belonging to Airbus | A new ransomware family called 3AM appears in the threat landscape | Redfly group infiltrated an Asian national grid as long as six months | Mozilla fixed a critical zero-day in Firefox and Thunderbird | Microsoft September 2023 Patch Tuesday fixed 2 actively exploited zero-day flaws | Save the Children confirms it was hit by cyber attack | Adobe fixed actively exploited zero-day in Acrobat and Reader | A new Repojacking attack exposed over 4,000 GitHub repositories to hack | MGM Resorts hit by a cyber attack | Anonymous Sudan launched a DDoS attack against Telegram | Iranian Charming Kitten APT targets various entities in Brazil, Israel, and the U.A.E. using a new backdoor | GOOGLE FIXED THE FOURTH CHROME ZERO-DAY OF 2023 | CISA adds recently discovered Apple zero-days to Known Exploited Vulnerabilities Catalog | UK and US sanctioned 11 members of the Russia-based TrickBot gang | New HijackLoader malware is rapidly growing in popularity in the cybercrime community | Some of TOP universities wouldn’t pass cybersecurity exam: left websites vulnerable | Evil Telegram campaign: Trojanized Telegram apps found on Google Play | Rhysida Ransomware gang claims to have hacked three more US hospitals | Akamai prevented the largest DDoS attack on a US financial company | Security Affairs newsletter Round 436 by Pierluigi Paganini – International edition | US CISA added critical Apache RocketMQ flaw to its Known Exploited Vulnerabilities catalog | Ragnar Locker gang leaks data stolen from the Israel's Mayanei Hayeshua hospital | North Korea-linked threat actors target cybersecurity experts with a zero-day | Zero-day in Cisco ASA and FTD is actively exploited in ransomware attacks | Zero-days fixed by Apple were used to deliver NSO Group’s Pegasus spyware | Apple discloses 2 new actively exploited zero-day flaws in iPhones, Macs | A malvertising campaign is delivering a new version of the macOS Atomic Stealer | Two flaws in Apache SuperSet allow to remotely hack servers | Chinese cyberspies obtained Microsoft signing key from Windows crash dump due to a mistake | Google addressed an actively exploited zero-day in Android | A zero-day in Atlas VPN Linux Client leaks users' IP address | MITRE and CISA release Caldera for OT attack emulation | ASUS routers are affected by three critical remote code execution flaws | Hackers stole $41M worth of crypto assets from crypto gambling firm Stake | Freecycle data breach impacted 7 Million users | Meta disrupted two influence campaigns from China and Russia | A massive DDoS attack took down the site of the German financial agency BaFin | "Smishing Triad" Targeted USPS and US Citizens for Data Theft | University of Sydney suffered a security breach caused by a third-party service provider | Cybercrime will cost Germany $224 billion in 2023 | PoC exploit code released for CVE-2023-34039 bug in VMware Aria Operations for Networks | Security Affairs newsletter Round 435 by Pierluigi Paganini – International edition | LockBit ransomware gang hit the Commission des services electriques de Montréal (CSEM) | UNRAVELING EternalBlue: inside the WannaCry’s enabler | Researchers released a free decryptor for the Key Group ransomware | Fashion retailer Forever 21 data breach impacted +500,000 individuals | Russia-linked hackers target Ukrainian military with Infamous Chisel Android malware | Akira Ransomware gang targets Cisco ASA without Multi-Factor Authentication | Paramount Global disclosed a data breach | National Safety Council data leak: Credentials of NASA, Tesla, DoJ, Verizon, and 2K others leaked by workplace safety organization | Abusing Windows Container Isolation Framework to avoid detection by security products | Critical RCE flaw impacts VMware Aria Operations Networks | UNC4841 threat actors hacked US government email servers exploiting Barracuda ESG flaw | Hackers infiltrated Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) for months | FIN8-linked actor targets Citrix NetScaler systems | Japan's JPCERT warns of new 'MalDoc in PDF' attack technique | Attackers can discover IP address by sending a link over the Skype mobile app | Cisco fixes 3 high-severity DoS flaws in NX-OS and FXOS software | Cloud and hosting provider Leaseweb took down critical systems after a cyber attack | Crypto investor data exposed by a SIM swapping attack against a Kroll employee | China-linked Flax Typhoon APT targets Taiwan | Researchers released PoC exploit for Ivanti Sentry flaw CVE-2023-38035 | * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * POLICIES * Contact me Ad * Home * Breaking News * Cyber Crime * Hacking * Malware * New variant of BBTok Trojan targets users of +40 banks in LATAM NEW VARIANT OF BBTOK TROJAN TARGETS USERS OF +40 BANKS IN LATAM Pierluigi Paganini September 25, 2023 A NEW VARIANT OF A BANKING TROJAN, CALLED BBTOK, TARGETS USERS OF OVER 40 BANKS IN LATIN AMERICA, PARTICULARLY BRAZIL AND MEXICO. Check Point researchers warn of a new variant of a banking trojan, called BBTok, that is targeting users of over 40 banks in Latin America. The new malware campaign relies on new infection chains and employs a unique combination of Living off the Land Binaries (LOLBins). The campaign has a low detection rate even though BBTok first appeared in the threat landscape in 2020. Ad The researchers reported that BBTokis is mainly targeting users in Brazil and Mexico, employing multi-layered geo-fencing to avoid infecting systems from other countries. “The BBTok banker has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian banks, and tricks the victims into entering its 2FA code to their bank accounts or into entering their payment card number.” reads the report published by Check Point. “The newly identified payloads are generated by a custom server-side application, responsible for generating unique payloads for each victim based on operating system and location.” BBTok supports a wide set of capabilities, it allows operators to remotely execute commands and replicates the interfaces of multiple Latin American banks, including over 40 major banks in Mexico and Brazil. The list of targeted banks includes Citibank, Scotibank, Banco Itaú and HSBC. The malware displays victims a fake interface posing as legitimate banks and that is designed to trick the users of the targeted banks into providing their personal and financial information, including 2FA codes. BBTok is written in Delphi and uses the Visual Component Library (VCL) to dynamically generate interfaces. The researchers reported that a custom server-side PowerShell script generates unique payloads for each victim. The payload is being delivered via phishing emails that use multiple file types. The phishing messages include a malicious link. Upon clicking the link, it results in the download of either a ZIP archive or an ISO image, depending on the operating system of the victim’s machine. The attack chains are different for both Windows 7 and Windows 10 systems, they are devised to evade security measures such as Antimalware Scan Interface (AMSI). “What’s notable is the operator’s cautious approach: all banking activities are only executed upon direct command from its C2 server, and are not automatically carried out on every infected system.” continues the report. The analysis of the server-side component revealed the presence of the database “links.sqlite.” The database includes more than 150 unique entries (users infected by BBTok), each aligning with the table headers created by “db.php.” The content is in Portuguese, a circumstance that suggests that with a high probability the threat actors are Brazilians. “Although BBTok has been able to remain under the radar due to its elusive techniques and targeting victims only in Mexico and Brazil, it’s evident that it is still actively deployed. Due to its many capabilities, and its unique and creative delivery method involving LNK files, SMB and MSBuild, it still poses a danger to organizations and individuals in the region.” concludes the report. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, BBTok) -------------------------------------------------------------------------------- facebook linkedin twitter -------------------------------------------------------------------------------- BBTok Cybercrime Hacking hacking news information security news IT Information Security LATAM malware Pierluigi Paganini Security Affairs Security News YOU MIGHT ALSO LIKE Pierluigi Paganini September 25, 2023 ALERT! PATCH YOUR TEAMCITY INSTANCE TO AVOID SERVER HACK Read more Pierluigi Paganini September 25, 2023 IS GELSEMIUM APT BEHIND A TARGETED ATTACK IN SOUTHEAST ASIAN GOVERNMENT? Read more LEAVE A COMMENT NEWSLETTER SUBSCRIBE TO MY EMAIL LIST AND STAY UP-TO-DATE! RECENT ARTICLES ALERT! PATCH YOUR TEAMCITY INSTANCE TO AVOID SERVER HACK Hacking / September 25, 2023 IS GELSEMIUM APT BEHIND A TARGETED ATTACK IN SOUTHEAST ASIAN GOVERNMENT? APT / September 25, 2023 NIGERIAN NATIONAL PLEADS GUILTY TO PARTICIPATING IN A MILLIONAIRE BEC SCHEME Cyber Crime / September 25, 2023 NEW VARIANT OF BBTOK TROJAN TARGETS USERS OF +40 BANKS IN LATAM Malware / September 25, 2023 DEADGLYPH, A VERY SOPHISTICATED AND UNKNOWN BACKDOOR TARGETS THE MIDDLE EAST Malware / September 24, 2023 To contact me write an email to: Pierluigi Paganini : pierluigi.paganini@securityaffairs.co LEARN MORE QUICK LINKS * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * POLICIES * Contact me Copyright@securityaffairs 2023 We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent. Cookie SettingsAccept All Manage consent Close PRIVACY OVERVIEW This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities... Necessary Necessary Always Enabled Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information. Non-necessary Non-necessary Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. SAVE & ACCEPT Go to mobile version