BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions and judicial-related matters. 

By leveraging trust and fear, respectively, these attacks often involve malicious links or file attachments that lead to malware infections, which include common tactics like embedded links in emails directing users to fake websites and malicious PDF and ZIP files containing trojans. 

Manufacturing companies have been the primary targets of these attacks, followed by retail, technology, and financial services. Mekotio, BBTok, and Grandoreiro are prominent banking trojans used in these scams.

Mekotio and BBTok, two malware families targeting Latin America, have expanded their geographic scope and employed new evasion techniques, whereas Mekotio, initially focused on Brazil, now targets multiple Spanish-speaking countries and parts of Southern Europe by using obfuscated PowerShell scripts to evade detection. 

BBTok, once limited to the Latin American financial sector, has adopted a similar geographic expansion and now uses LNK files and embedded DLL payloads in ISO files to infect victims, enhancing its credential theft and data exfiltration capabilities.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Both malware families pose a significant threat to the region due to their versatility and persistence.

The Mekotio variant targets victims through phishing emails, luring them to malicious websites that download a ZIP file containing an obfuscated batch file, which executes a PowerShell script that connects to a secondary URL to download additional malware or exfiltrate data. 

The script checks the system’s geolocation and environment to tailor its actions, including downloading a final ZIP file containing AutoHotKey.exe, an AutoHotKey script, and the Mekotio DLL. 

These components are used to execute the final stage of the attack, while an autorun registry entry ensures persistence.

Unlike previous variants, this Mekotio variant appears to have a broader targeting scope, potentially affecting a wider range of countries.

The BBTok malware employs a sophisticated infection chain that begins with a phishing email containing a malicious link.

Upon clicking this link, a malicious ISO file is downloaded, containing an LNK file that, when executed, triggers the execution of MSBuild.exe. 

MSBuild.exe loads a malicious XML file from the ISO, which generates and executes a malicious DLL file using rundll32.exe, which connects to the attacker’s C&C server, establishes persistence by modifying the system registry, and extracts additional payloads from a ZIP file within the ISO. 

According to Trend Micro, the malware then executes these payloads, continuing the attack and gaining further control over the compromised system.

Cybercriminals are increasingly targeting Latin American users with sophisticated phishing scams designed to steal banking credentials and execute unauthorized transactions, which, becoming more adept at evading detection and stealing sensitive information, are used by gangs that are growing bolder in targeting larger groups for greater profit. 

To mitigate these risks, enterprises should implement advanced threat detection systems, update security protocols regularly, and educate employees about phishing recognition and response.

A proactive and zero-trust approach to cybersecurity is essential for safeguarding financial systems against these evolving threats.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!