BBTOK: malware focused on infection and credential theft of Mexicans

BBtok is a new banking trojan whose authors seem to be focused, at least for the time being, on infecting and stealing the credentials of Mexican users. In the event that the victim who executes the dropper sent by email does not use a Mexican connection, it will not continue with the download and installation of the second dropper and the rest of the modules.

The Portuguese strings found in the trojan's binary, the use of Delphi as the main language of the banker and the use of libraries already used in other Brazilian banking malware such as Grandoreiro suggest that this new malware could have been developed by Brazilian attackers.

Nor can we rule out the possibility that it's a new variant of Grandoreiro, developed by the attackers themselves, and that they may even be moving towards a Malware-as-a-Service (MaaS) business model, in which they market the malware so that the buyers are the ones who exploit it and infect the end users. In fact, it's likely that BBtok isn't a new family as such, and is actually a new version of Grandoreiro.

For the time being, the attackers' interest seems to reside in Mexican users, but as has happened in the past with other families, such as Pazera/Mekoito or Grandoreiro itself, it's likely that over time we will begin to see new versions in which the list of affected entities is expanded, including entities from other Latin American countries and Spain. We must be on the lookout for these new versions that will most likely arrive in the coming months.


BBTOK: Brazilian malware focused on infection and credential theft of Mexican users

In the last month, a new banking malware has been detected that is affecting users in Mexico and that is thus affecting banking entities that operate in that country, stealing bank credentials from their users to steal their savings.

During its analysis, text strings with words in Portuguese were discovered, and the use of the same Delphi library used by Grandoreiro, another banking trojan of Brazilian origin, has also been detected. This suggests that this new banker could also be of Brazilian origin, and it's possible that it could even be a new variant of Grandoreiro, since we've detected that it's using the same library for the implementation of communication with the control server.


Posted by David García

In his more than 9-year professional career, he has been involved in multiple projects, the most important being in the fields of managed security, anti-fraud and ethical hacking services, and malware analysis. He has contributed his know-how and security-related improvements to a wide variety of fraud and vulnerability analysis products. He currently oversees the smooth running of our different products and researches current fraud developments in order to showcase buguroo overseas as well as providing the development department with feedback on the latest malware and cybercriminal trends.



buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.


Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video