Introduction:
This research analyses a recently found malware threat and presents methods for reducing its dangers. BBTok, a banking trojan, is the malicious software in question and it has been deliberately aimed at users in Latin America, mainly in Brazil and Mexico. The report will include a review of the virus, latest changes, fresh threat vectors, improved SIEM rules, indications of compromise (IOCs), mitigation strategies, and a conclusion.
Malware Overview:
A Windows-based banking malware called BBTok first surfaced in 2020. Its main goal is to pass as the user interfaces of more than 40 major banks in Mexico and Brazil, duping victims into disclosing private information like 2FA codes and credit card details. The trojan may deliver bogus login pages and has a number of other features, such as process enumeration, remote command execution, keyboard manipulation, and process enumeration.
Upgrade and New Threat Vector:
Evolution of BBTok:
Since its discovery in 2020, BBTok has evolved significantly. The threat actors have enhanced its obfuscation techniques and added downloaders to its arsenal. These changes have led to lower detection rates, making it more challenging to identify and mitigate the malware.
New Payload Generation:
BBTok now employs a custom server-side application for generating unique payloads tailored to each victim based on their operating system and location. This approach ensures that the malware remains highly effective and adaptable.
Indicators of Compromise (IOCs):
Network IOCs:
Phishing Domains: danfe[.]is-certified[.]com, rendinfo[.]shop
Malicious DLL Download Domain: sodkvsodkv[.]supplier[.]serveftp[.]net
Payload Servers: 216[.]250[.]251[.]196, 173[.]249[.]196[.]195, 176[.]31[.]159[.]196, 147[.]124[.]213[.]152
File IOCs:
Malicious ISO Files: DANFE357702036539112.iso, DANFE357666506667634.iso, DANFE352023067616112.iso
Lure PDFs: DANFE358567378531506.pdf, HtmlFactura3f48daa069f0e42253194ca7b51e7481DPCYKJ4Ojk.iso, HtmlFactura-497fc589432931214ed0f7f4de320f3brzi8y1MTdn.iso, HtmlFactura-4887f50edb734a49d33639883b60796do52lTREjMh.iso, Html-Factura35493606948895934113728188857090JCOY.pdf
BBTok Downloaders: Brammy.dll, Trammy.dll, Kammy.dll, Gammy.dll
Preventive Measures:
- Implement cutting-edge email filtering tools to identify and stop phishing emails that spread the BBTok malware.
- Endpoint Protection: Use software for endpoint protection to find and contain suspicious files and activities on endpoints.
- Regular Software Updates: To reduce vulnerabilities that malware can exploit, make sure that all operating systems and software are constantly patched.
- Employee Education: Provide cybersecurity awareness training to inform staff of phishing dangers and secure web browsing procedures.
- Regularly update SIEM rules to respond to new threats in order to ensure the early identification of BBTok-related actions.
Conclusion:
In conclusion, the BBTok banking trojan poses an ongoing threat to users in Latin America, with recent upgrades and evolving tactics that make it challenging to detect and mitigate. To protect against this malware, organizations should adopt a multi-layered security approach, including email filtering, endpoint protection, employee training, and the continuous refinement of SIEM rules. Staying vigilant and proactive is crucial in the ever-changing landscape of cybersecurity threats.
Reference:
https://thehackernews.com/2023/09/new-variant-of-banking-trojan-bbtok.html