A new strain of the BBTok banking trojan has emerged, posing a significant threat to Latin American banks, particularly those in Brazil and Mexico. This malware specializes in mimicking the interfaces of over 40 banks in the region, tricking victims into disclosing sensitive information, including 2FA codes and payment card details.
It’s distributed through phishing emails with diverse file types and is equipped with advanced evasion techniques to avoid detection, targeting both Windows 7 and Windows 10 systems.
The cybercriminals behind BBTok employ living-off-the-land binaries (LOLBins) and geofencing checks to ensure that their targets are specifically from Brazil or Mexico, enhancing their chances of success.
Once launched, the trojan connects to a remote server to simulate security verification pages of various banks, aiming to harvest user credentials for account takeovers. This threat is evolving and now displays a level of sophistication that includes the use of Spanish and Portuguese language in the source code and phishing emails.
Check Point, the cybersecurity firm that uncovered this campaign, estimates that over 150 users have been infected by BBTok. Despite being a relatively low-profile threat, it poses a substantial danger due to its unique techniques and the potential for data theft and account compromises. This discovery coincides with Check Point’s report on a large-scale phishing campaign targeting prominent companies in Colombia, further highlighting the evolving landscape of cyber threats in Latin America.