BBTok Banking Trojan Impersonates 40+ Banks to Hijack Victim Accounts

  /     /     /  
Publicated : 23/11/2024   Category : security


BBTok Banking Trojan Impersonates 40+ Banks to Hijack Victim Accounts


Attackers use convincing fake website interfaces and sophisticated geo-fencing to target users exclusively in Mexico and Brazil with a new variant of the malware.



Threat actors are targeting hundreds of banking customers in Latin America with a new variant of an existing
banking Trojan
that replicates the interfaces of more than 40 Mexican and Brazilian banks. The campaign is aimed at tricking infected victims into giving up two-factor authentication (2FA) and/or
payment-card details
so attackers can hijack their bank accounts.
The active campaign — the initial infection vector of which is through phishing — is aimed at spreading a variant of the BBTok banking malware to victims in Mexico and Brazil, researchers from Check Point Software
revealed in a blog post
on Sept. 20.
The actors behind the campaign are maintaining diversified infection chains for different versions of Windows to widen the scope of the attacks, using a unique combination of Living off the Land Binaries (LOLBins), resulting in low detection rates, the Check Point Team wrote in the post.
These advanced obfuscation techniques, the distribution of BBTok through
phishing
links rather than attachments, and advanced geofencing to ensure victims are located only in Brazil and Mexico all demonstrate an evolution in the tactics of the attackers distributing the malware, according to the researchers.
The campaigns most distinctive feature is its use of fake interfaces for more than 40 banks in Mexico and Brazil, which are so convincing that they coax unsuspecting users into divulging personal and financial details, tricking the victim into entering the security code/ token number that serves as
2FA
for [a] bank account, the Check Point Team wrote.
This ultimately allows attacks to take over the victims bank account by using their credentials. In some cases, people even go so far as to enter their payment card number directly into the malicious interfaces, the researchers added.
BBTok has been active as a banking malware in Latin America
since 2020
, with attackers first deploying it through fileless attacks. The malwares functionalities include enumerating and killing processes, keyboard and mouse control, and manipulating clipboard contents, along with classic banking
Trojan
features, according to Check Point.
The researchers identified the latest variant and campaign in part by analyzing server-side resources of the threat actors behind BBTok, which serve the malicious payloads that are distributed through phishing links. Attackers use multi-layered
geofencing
— a sophisticated targeting and evasion tactic — to ensure that victims that receive the phishing messages are only located in Brazil and Mexico, the researchers noted.
In fact, during its research, Check Point discovered a database of some BBTok malware victims in Mexico that included more than 150 entries with victims information, confirming the success of the operation, which remains active.
The recent findings regarding the latest BBTok variant and campaign expose once again how threat actors are constantly evolving threat tactics to steal banking and other credentials for financial gain, calling on users to be more sophisticated in their vigilance as well.

Phishing attacks
can have a number of different goals, including malware delivery, stealing money, and credential theft, according to Check Point. However, most phishing scams designed to steal your personal information
can be detected
if you pay enough attention.
Key ways that people can do this so as not to fall victim to scams include to always be suspicious of password-reset emails, visiting websites directly rather than clicking on embedded links if prompted by a banking site to reset their password.
Check Point also reiterated some common ways that malicious actors try to convince people to share credentials, including lookalike sites like the ones used in the latest BBTok campaign, and scams in which attackers impersonate customer-support specialists from known companies like Microsoft or Apple. The researchers advised that people never share credentials with anyone outside of logging in directly to the websites that require them.
Finally, people should be aware of common social-engineering language used specifically to get people to ignore initial suspicions about a phishing email and go on to click a link or open an attachment against their better judgment.
Some common phishing techniques include fake order or delivery notices that impersonate trusted brands;
business email compromise (BEC)
attacks that impersonate an executive or someone with authority in an organization to fool employees into taking action that defrauds them financially; or messages requesting payment of an outstanding invoice as a way to get someone to transfer money to attackers or deliver malware via a malicious document.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
BBTok Banking Trojan Impersonates 40+ Banks to Hijack Victim Accounts