BBTOK: Brazilian malware focused on infection and credential theft of Mexican users

BBtok is a new banking trojan whose authors seem to be focused, at least for the time being, on infecting and stealing the credentials of Mexican users. In the event that the victim who executes the dropper sent by email does not use a Mexican connection, it will not continue with the download and installation of the second dropper and the rest of the modules.

The Portuguese strings found in the trojan's binary, the use of Delphi as the main language of the banker and the use of libraries already used in other Brazilian banking malware such as Grandoreiro suggest that this new malware could have been developed by Brazilian attackers.

Nor can we rule out the possibility that it's a new variant of Grandoreiro, developed by the attackers themselves, and that they may even be moving towards a Malware-as-a-Service (MaaS) business model, in which they market the malware so that the buyers are the ones who exploit it and infect the end users. In fact, it's likely that BBtok isn't a new family as such, and is actually a new version of Grandoreiro.

For the time being, the attackers' interest seems to reside in Mexican users, but as has happened in the past with other families, such as Pazera/Mekoito or Grandoreiro itself, it's likely that over time we will begin to see new versions in which the list of affected entities is expanded, including entities from other Latin American countries and Spain. We must be on the lookout for these new versions that will most likely arrive in the coming months.


BBTOK: Brazilian malware focused on infection and credential theft of Mexican users

In the last month, a new banking malware has been detected that is affecting users in Mexico and that is thus affecting banking entities that operate in that country, stealing bank credentials from their users to steal their savings.

During its analysis, text strings with words in Portuguese were discovered, and the use of the same Delphi library used by Grandoreiro, another banking trojan of Brazilian origin, has also been detected. This suggests that this new banker could also be of Brazilian origin, and it's possible that it could even be a new variant of Grandoreiro, since we've detected that it's using the same library for the implementation of communication with the control server.


Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video



Posted by David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of buguroo’s development team, managing task distribution and negotiating with the Head of Technology.


We recommend you to read...