Skip to content

New BBTok malware variant targets banks in Brazil and Mexico

  • by
  • 3 min read

Threat actors are deploying a new variant of the BBTok banking malware in Latin America, primarily in Brazil and Mexico. The actors use unique combinations of the Living off the Land Binaries (LOLBins) technique to prevent detection.

Cybersecurity researchers from Check Point Research checked the server-side resources employed by the threat actors in their attacks to deliver the malicious payloads, most probably through phishing links.

Researchers have also observed several iterations of these server-side scripts and configuration files, showcasing the evaluation of the BBTok deployment techniques over time. The original version of the malware was discovered in 2020.

This malware is dangerous as it can perform many functions, including process enumeration and termination, keyboard and mouse control, and clipboard content manipulation. Additionally, BBTok incorporates features of classic Trojan malware, such as using fake bank login pages.

An example of a fake bank login page. | Source: Check Point Research

The threat actors are currently using special multi-layered geo-fencing protocols to limit infected computers to Brazil and Mexico.

Since its initial disclosure, the operations behind BBTok have continuously adapted their Tactics, Techniques, and Procedures (TTPs). Earlier, they used to rely on email attachments as phishing lures primarily, but now they seem to have switched to phishing links, leading to lower detection rates.

The BBTok malware comes equipped with fake interfaces of over 40 banks in Brazil and Mexico. These deceptive interfaces serve as a platform where customers, thinking these pages to be real, divulge their personal and financial information, including the crucial two-factor authentication code for their bank accounts and payment card information.

Victim list of BBTok malware. | Source: Check Point Research

As of now, over 150 victims have been identified by researchers, but the list can further increase given the low detection rates of BBTok.

Researchers have pointed out some essential tips for customers to protect themselves, such as exercising caution with password reset emails, never sharing your banking credentials with anyone, especially on the internet, and paying attention to the email language.

In the News: UK parliament passes Online Safety Bill amid privacy concerns

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: