BBtok is a new banking trojan whose authors seem to be focused, at least for the time being, on infecting and stealing the credentials of Mexican users. In the event that the victim who executes the dropper sent by email does not use a Mexican connection, it will not continue with the download and installation of the second dropper and the rest of the modules.
The Portuguese strings found in the trojan's binary, the use of Delphi as the main language of the banker and the use of libraries already used in other Brazilian banking malware such as Grandoreiro suggest that this new malware could have been developed by Brazilian attackers.
Nor can we rule out the possibility that it's a new variant of Grandoreiro, developed by the attackers themselves, and that they may even be moving towards a Malware-as-a-Service (MaaS) business model, in which they market the malware so that the buyers are the ones who exploit it and infect the end users. In fact, it's likely that BBtok isn't a new family as such, and is actually a new version of Grandoreiro.
For the time being, the attackers' interest seems to reside in Mexican users, but as has happened in the past with other families, such as Pazera/Mekoito or Grandoreiro itself, it's likely that over time we will begin to see new versions in which the list of affected entities is expanded, including entities from other Latin American countries and Spain. We must be on the lookout for these new versions that will most likely arrive in the coming months.