Banking Trojan families Mekotio and BBTok are surging again in Latin America, delivering sophisticated phishing campaigns that impersonate business and legal communications to steal banking credentials. Mekotio is widening its geographic reach while BBTok uses advanced techniques like MSBuild.exe to evade detection and deploy its payloads. #Mekotio #BBTok #Grandoreiro
Keypoints
- Phishing campaigns targeting Latin America are increasing, aiming to drop banking trojans such as Mekotio, BBTok, and Grandoreiro.
- Mekotio expanded beyond Brazil to Spanish-speaking countries (Chile, Mexico, Colombia, Argentina) and parts of Southern Europe (Spain).
- Attack lure types include business transactions and judicial-related scams that exploit urgency and fear to prompt victims to act.
- BBTok uses MSBuild.exe to execute malicious payloads and to evade detection, with infection chains involving ZIP/ISO delivery and LNK triggers.
- Mekotio’s latest variant obfuscates PowerShell and employs a multi-stage downloader to fetch further components and perform environment reconnaissance.
- Persistence is achieved via registry autorun entries, and final payloads include DLLs such as Brammy.dll/Trammy.dll and AutoHotKey.exe to maintain footholds and execute actions.
- Industry targets include manufacturing, retail, technology, and financial services, highlighting broad financial threat exposure in the region; recommendations call for stronger defenses and phishing-awareness training.
MITRE Techniques
- [T1566] Phishing – Utilising phishing emails to deliver malware and harvest credentials. Quote: ‘Utilizing phishing emails to deliver malware and harvest credentials.’
- [T1203] Execution – Executing malicious scripts through various methods including PowerShell and MSBuild.exe. Quote: ‘Executing malicious scripts through various methods including PowerShell and MSBuild.exe.’
- [T1071] Command and Control – Establishing a connection to the attacker’s server for further control. Quote: ‘Establishing a connection to the attacker’s server for further control.’
- [T1547] Persistence – Creating registry entries to ensure malware runs on system startup. Quote: ‘Creating registry entries to ensure malware runs on system startup.’
- [T1003] Credential Dumping – BBTok’s advanced capabilities for credential theft and data exfiltration make it a formidable threat in the region. Quote: ‘BBTok’s advanced capabilities for credential theft and data exfiltration make it a formidable threat in the region.’
Indicators of Compromise
- [File name] context – Brammy.dll and Trammy.dll, the malicious BBTok DLL payloads used in the final stage of the infection.
- [File name] context – AutoHotKey.exe, an AutoHotKey script, and the Mekotio DLL used in the final payload assembly.
- [File name] context – LNK file that initiates the infection chain when the ISO/ZIP is processed.
- [Archive] context – ZIP file containing a obfuscated batch file and a PowerShell-based downloader; ISO file containing the DLL payload and LNK.
- [Process] context – MSBuild.exe embedded in the ISO to execute malicious code and load a malicious XML.
- [XML] context – Malicious XML file used to direct the generation and execution of a DLL via rundll32.exe.