Cyber Security News

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions and judicial-related matters. 

By leveraging trust and fear, respectively, these attacks often involve malicious links or file attachments that lead to malware infections, which include common tactics like embedded links in emails directing users to fake websites and malicious PDF and ZIP files containing trojans. 

Manufacturing companies have been the primary targets of these attacks, followed by retail, technology, and financial services. Mekotio, BBTok, and Grandoreiro are prominent banking trojans used in these scams.

A Mekotio phishing email with an embedded linkA Mekotio phishing email with an embedded link
A Mekotio phishing email with an embedded link

Mekotio and BBTok, two malware families targeting Latin America, have expanded their geographic scope and employed new evasion techniques, whereas Mekotio, initially focused on Brazil, now targets multiple Spanish-speaking countries and parts of Southern Europe by using obfuscated PowerShell scripts to evade detection. 

BBTok, once limited to the Latin American financial sector, has adopted a similar geographic expansion and now uses LNK files and embedded DLL payloads in ISO files to infect victims, enhancing its credential theft and data exfiltration capabilities.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Both malware families pose a significant threat to the region due to their versatility and persistence.

Mekotio’s observed infection chain

The Mekotio variant targets victims through phishing emails, luring them to malicious websites that download a ZIP file containing an obfuscated batch file, which executes a PowerShell script that connects to a secondary URL to download additional malware or exfiltrate data. 

The script checks the system’s geolocation and environment to tailor its actions, including downloading a final ZIP file containing AutoHotKey.exe, an AutoHotKey script, and the Mekotio DLL. 

These components are used to execute the final stage of the attack, while an autorun registry entry ensures persistence.

Unlike previous variants, this Mekotio variant appears to have a broader targeting scope, potentially affecting a wider range of countries.

BBTok’s observed infection chain

The BBTok malware employs a sophisticated infection chain that begins with a phishing email containing a malicious link.

Upon clicking this link, a malicious ISO file is downloaded, containing an LNK file that, when executed, triggers the execution of MSBuild.exe. 

MSBuild.exe loads a malicious XML file from the ISO, which generates and executes a malicious DLL file using rundll32.exe, which connects to the attacker’s C&C server, establishes persistence by modifying the system registry, and extracts additional payloads from a ZIP file within the ISO. 

According to Trend Micro, the malware then executes these payloads, continuing the attack and gaining further control over the compromised system.

The extracted zip file

Cybercriminals are increasingly targeting Latin American users with sophisticated phishing scams designed to steal banking credentials and execute unauthorized transactions, which, becoming more adept at evading detection and stealing sensitive information, are used by gangs that are growing bolder in targeting larger groups for greater profit. 

To mitigate these risks, enterprises should implement advanced threat detection systems, update security protocols regularly, and educate employees about phishing recognition and response.

A proactive and zero-trust approach to cybersecurity is essential for safeguarding financial systems against these evolving threats.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Chinese Hackers Exploit SAP RCE Vulnerability to Deploy Supershell Backdoors

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-31324, in SAP NetWeaver Visual Composer…

1 hour ago

Hackers Target IT Admins by Poisoning SEO to Push Malware to Top Search Results

Cybercriminals are increasingly targeting IT administrators through sophisticated Search Engine Optimization (SEO) poisoning techniques. By…

1 hour ago

New Mamona Ransomware Targets Windows Systems Using Abused Ping Command

Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona, which…

2 hours ago

Malicious Python Package Impersonates Discord Developers to Deploy Remote Commands

A seemingly innocuous Python package named ‘discordpydebug’ surfaced on the Python Package Index (PyPI) under…

2 hours ago

New Supply Chain Attack Compromises Popular npm Package with 45,000 Weekly Downloads

An advanced supply chain attack has targeted the well-known npm package rand-user-agent, which receives about…

2 hours ago

Threat Actors Leverage Multimedia Systems in Stealthy Vishing Attacks

Threat actors have begun exploiting multimedia systems as a pivotal component of their voice phishing…

2 hours ago