Saturday, December 14, 2024
Homecyber securityBBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Published on

SIEM as a Service

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions and judicial-related matters. 

By leveraging trust and fear, respectively, these attacks often involve malicious links or file attachments that lead to malware infections, which include common tactics like embedded links in emails directing users to fake websites and malicious PDF and ZIP files containing trojans. 

Manufacturing companies have been the primary targets of these attacks, followed by retail, technology, and financial services. Mekotio, BBTok, and Grandoreiro are prominent banking trojans used in these scams.

- Advertisement - SIEM as a Service
A Mekotio phishing email with an embedded link
A Mekotio phishing email with an embedded link

Mekotio and BBTok, two malware families targeting Latin America, have expanded their geographic scope and employed new evasion techniques, whereas Mekotio, initially focused on Brazil, now targets multiple Spanish-speaking countries and parts of Southern Europe by using obfuscated PowerShell scripts to evade detection. 

BBTok, once limited to the Latin American financial sector, has adopted a similar geographic expansion and now uses LNK files and embedded DLL payloads in ISO files to infect victims, enhancing its credential theft and data exfiltration capabilities.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Both malware families pose a significant threat to the region due to their versatility and persistence.

Mekotio’s observed infection chain
Mekotio’s observed infection chain

The Mekotio variant targets victims through phishing emails, luring them to malicious websites that download a ZIP file containing an obfuscated batch file, which executes a PowerShell script that connects to a secondary URL to download additional malware or exfiltrate data. 

The script checks the system’s geolocation and environment to tailor its actions, including downloading a final ZIP file containing AutoHotKey.exe, an AutoHotKey script, and the Mekotio DLL. 

These components are used to execute the final stage of the attack, while an autorun registry entry ensures persistence.

Unlike previous variants, this Mekotio variant appears to have a broader targeting scope, potentially affecting a wider range of countries.

BBTok’s observed infection chain
BBTok’s observed infection chain

The BBTok malware employs a sophisticated infection chain that begins with a phishing email containing a malicious link.

Upon clicking this link, a malicious ISO file is downloaded, containing an LNK file that, when executed, triggers the execution of MSBuild.exe. 

MSBuild.exe loads a malicious XML file from the ISO, which generates and executes a malicious DLL file using rundll32.exe, which connects to the attacker’s C&C server, establishes persistence by modifying the system registry, and extracts additional payloads from a ZIP file within the ISO. 

According to Trend Micro, the malware then executes these payloads, continuing the attack and gaining further control over the compromised system.

The extracted zip file
The extracted zip file

Cybercriminals are increasingly targeting Latin American users with sophisticated phishing scams designed to steal banking credentials and execute unauthorized transactions, which, becoming more adept at evading detection and stealing sensitive information, are used by gangs that are growing bolder in targeting larger groups for greater profit. 

To mitigate these risks, enterprises should implement advanced threat detection systems, update security protocols regularly, and educate employees about phishing recognition and response.

A proactive and zero-trust approach to cybersecurity is essential for safeguarding financial systems against these evolving threats.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Latest articles

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...

FBI Seizes Rydox Marketplace, Arrests Key Administrators

The Federal Bureau of Investigation (FBI) announced the seizure of Rydox, an illicit online...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...