BBTok Trojan impersonates 40+ banks to seize victim accounts.

A trojan malware known as BBTok has been discovered to be targeting banks in Latin America majorly people in Brazil and Mexico. The discovery which was made by researchers from Checkpoint security indicates that threat actors were deploying a variant of the BBTok banker in Latin.  

Checkpoint stated that:

“We highlight newly discovered infection chains that use a unique combination of living off the Land Binaries (LOLBins). This resulting in low detection rates, even though BBTok banker operates at least since 2020.”

In a discovery made by checkpoint, the threat actor server-side component which was used in compromising over 40 banks, possesses payloads that were likely served via a phishing link to various targets.


                The malware payloads were likely served via a phishing link to various targets. Image-source: Checkpoint


Furthermore, checkpoint in an article stated:

“We’ve observed numerous iterations of the same server-side scripts and configuration files which demonstrate the evolution of the BBTok banker deployment methods over time. This insight allows us to catch a glimpse of infection vectors that the actors have not yet implemented, as well as trace the origin of the source code employed for sustaining such operations.”

Additional findings shows that the threat actor active targets are Brazil and Mexico, and a multi-layered geo fencing which ensures that the victims are from the countries stated above. It is noted since it was first reported in 2020, the TTP (Tactics, Techniques, and Procedures) of the threat actors have evolved into a more sophisticated method, with the additional layers of obfuscation and low detection rate of the malware.

The BBTok is said to have a dedicated functionality that enables it to replicate interfaces of over 40 Mexican banks, which manipulates its victim into entering either their 2FA-code, or Payment card number. It is said that the newly payload are generated by a custom server-side application, which generates the payload based on the victims operating system and geolocation. It is notable, that the threat actors are actively maintaining the different version of windows operating system, with various file type employed (*.ISO, *.ZIP, *.LNK, *.DOCX, *.JS, and *.XLL.

In addition, checkpoint informed:

“The threat actors add open-source code, code from hacking forums, and new exploits, when those appear (e.g., Follina) to their arsenal.”

The malware first surfaced in 2020, with the capability of killing and enumerating processes, keyboard and mouse control, and manipulating clipboard contents.  Alongside the contents of the malware includes classing banking trojan features, which has the ability to simulate fake login pages of a wide variety of banks in Brazil and Mexico.

Since its disclosure it is noted that threat actors have adopted new TTP’s in addition to using phishing emails and attaching of malicious file as a first point of infestation.

Checkpoint stated that:

“Recently we’ve seen indications of the banker distributed through phishing links, and not as attachments to the email itself. Upon access the malicious link, an ISO or ZIP file is downloaded to the victim’s machine.”

Further analysis made by checkpoint, shows new links were found and the internal server-side of the resources used were uncovered. The analysis indicates that the actor has maintained a wide variety of infection chain, and able to generate on demand with each click, victims operating system and location.


Different Banks Affected:

Threat actors are able to initiate remote commands, and the malware is able to replicate different banks interface which are located in Latin America. Analysis and referencing of the code show that banks such as: Citibank, Scotibank, Banco Itaú, and HSBC, were a list of banks in the various banks that the malware mimics.

The malware by default aims at cloning the BBVA bank interface, and posing as the legitimate bank, while tricking users into divulging sensitive information such as personal identifiable information’s, and financial details. However, the major intent of the malware, is to trick victims into disclosing security code/token number that serves as 2FA, allowing the threat actor to be able to take over victim’s account.

Checkpoint emphasized that:

“BBTok which is written in Delphi, uses the Visual Component Library (VCL) to create forms that quite literally form these fake interfaces. This allows the attackers to dynamically and naturally generate interfaces that fit the victim’s computer screen and a specific form for the bank of the victim, without raising any suspicion.”

Checkpoint also disclosed that:

“BBVA, which is the default bank the bank targets, has its interface stored in one such forms named ‘TFRMBG’.”

Talking about keeping up with trends, it is discovered that the threat actors are constantly keeping up with times, and discovery shows that search strings such as ‘bitcoin’, ‘Electrum’, and ‘Binance’ have been on the lookout for, by these threat actors.  Also, BBTok is not limited to manipulating browser interfaces, but also have other sophisticated capabilities, such as installing malicious browser extensions, or inject DLL named “rpp.dll” to further hold on the infected systems.

BBTok has been under the radar for awhile due to its elusive techniques, and targeting limited countries (Brazil and Mexico). However, it is evident the malware is still actively deployed. The complex functionality of the malware, and its delivery method involving the LNK files, and SMB build makes it a threat for organizations and individuals from the targeted region.




Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments