A new variant of the BBTok banking trojan has recently resurfaced in Latin America, specifically targeting users in Brazil and Mexico. This advanced form of malware has evolved its tactics and techniques [5], posing a significant threat to organizations and individuals in the region.


BBTok is being distributed through an active malware campaign that specifically targets users in Brazil and Mexico [4]. It replicates the interfaces of over 40 banks in Mexico and Brazil [2], including BBVA [5], a popular bank [5], in order to deceive users into sharing personal and financial information [5]. The malware is coded in Delphi and uses VCL to create custom fake interfaces that match victim screens and bank forms [5]. It also seeks Bitcoin-related data on infected machines [5].

The campaign uses phishing emails to trick victims into providing their banking information [2], including 2FA codes [5]. Once the malware is launched, it allows attackers to execute remote commands and gain control of bank accounts. The malware is delivered through LNK files [1] [5], SMB [5], and MSBuild [5], making it difficult to track and detect [5].

BBTok has features that allow it to kill processes [4], issue remote commands [1] [2] [3] [4], manipulate keyboards [1] [3] [4], and serve fake login pages [1] [3] [4]. The attack chains use bogus links or ZIP file attachments to deploy the malware while displaying decoy documents [1] [3] [4]. BBTok evades detection mechanisms such as Antimalware Scan Interface (AMSI) and uses living-off-the-land binaries (LOLBins) and geofencing checks to target victims in Brazil and Mexico [4].

Once launched [1] [3] [4], BBTok establishes connections with a remote server to simulate security verification pages and harvest user credentials [1] [3] [4]. The malware has shown improvement in obfuscation and targeting since 2020 [1] [3] [4], expanding beyond Mexican banks [4]. The presence of Spanish and Portuguese language suggests the attackers are likely based in Brazil [4]. Over 150 users have been estimated to be infected by BBTok [4].


BBTok poses a significant danger to organizations and individuals in Latin America, particularly in Brazil and Mexico [1] [3] [4]. Its use of phishing links and replication of bank interfaces make it difficult to detect and track. Mitigations should include educating users about phishing techniques and implementing robust security measures to prevent initial infections. The continued evolution and expansion of BBTok highlight the need for ongoing vigilance and proactive measures to protect against this type of malware.


[1] https://secoperations.wordpress.com/2023/09/23/new-variant-of-banking-trojan-bbtok-targets-over-40-latin-american-banks/
[2] https://www.hackread.com/bbtok-malware-target-brazil-mexico-banks/
[3] https://thehackernews.com/2023/09/new-variant-of-banking-trojan-bbtok.html
[4] https://flyytech.com/2023/09/22/new-variant-of-banking-trojan-bbtok-targets-over-40-latin-american-banks/
[5] https://cybersecuritynews.com/bbtok-banking-malware/