BBtok Trojan

The BBtok Trojan is a hybrid banking Trojan and backdoor Trojan that collects bank account credentials and provides attackers with command-based control over infected PCs. It may spread through e-mail tactics that trick victims into opening corrupted attachments and create symptoms such as fake pop-up notifications for bank account security. Affected Windows users should disable network connections and remove the BBtok Trojan through anti-malware services before changing all compromised passwords.

A Trojan Waylays Mexico with Clever Pop-Up Ruses

Since there are practical reasons for attackers having access to the same systems they're collecting information from, hybrid or dual-purpose Trojans are becoming the norm among data-exfiltrating spyware. The degree of specialization in these threats can be extreme, as in the BBtok Trojan case, which targets Mexican bank customers. Its campaign uses a fairly-typical infection strategy with some additional effort to hide the threat while it collects whatever it can – especially login credentials.

It should take few readers aback that the BBtok Trojan uses e-mail for circulating, with ZIP-enclosed documents distracting victims from the simultaneous Powershell script triggers that install the Trojan. Instead of dropping a 'new' file, which would trigger security solutions, the replaces a legitimate Windows audio/joystick driver ('winmm.dll') during its installation. This simple mode of convincing the OS to load the Trojan facilitates further attacks, including components for backdoor Trojan contact and banking Trojan functionality.

The backdoor Trojan module provides what malware analysts consider very-standard but threatening features, such as recording keystrokes, controlling memory processes and hijacking the clipboard. All of these features load according to the threat actor's remote commands. However, its banking Trojan half is more specialized. This component collects credentials for banking institutions like Banco Azteca or Scotiabank. To harvest these passwords and other data, it displays highly-specific Mexican-tailored pop-ups that imitate login portals and security prompts for the different banks. The attacker then uses the information for transferring money out of the account and absconding with any other data that the Bbtok Trojan collects.

Closing a Bank Predator's Business

None of the particular elements of the BBtok Trojan's campaign are fully-novel. Still, the package's entirety says a great deal about the threat actor's experience and work ethics. It also shows that Windows users should remain attentive to viruses and similar threats that don't always leave individual, new files around for observation. After it slips into the Windows OS, the BBtok Trojan mainly is identifiable through the symptomatic pop-ups, which should concern any bank customers familiar with standard procedures for account security.

Although malware researchers see no examples of the BBtok Trojan varying up its attacks with non-Mexican incidents, the Trojan's configuration could change after a quick update. Users should be cautious concerning e-mail attachments and archives like ZIPs or RARs, which threat actors prefer to obfuscate their corrupted files. The BBtok Trojan also includes significant disruption implications for many cyber-security programs, whose Registry entries it may wipe, thereby keeping users from accessing their preferred AV and security solutions.

As with any backdoor Trojan, infection responses should include disabling network connectivity for cutting the Trojan off from its Command & Control servers. Users may need to reinstall affected security products before removing the BBtok Trojan through them and re-securing their accounts.

The BBtok Trojan is an intelligently-designed thief that uses geographical attributes for sharpening the edge of its payload. For now, it's a danger to Mexico, but a successful banking Trojan rarely stops at just one country.