{
	"id": "4268e58d-aea7-4303-969c-c8e09f9daa61",
	"created_at": "2026-04-06T00:11:19.275722Z",
	"updated_at": "2026-04-10T03:21:40.030619Z",
	"deleted_at": null,
	"sha1_hash": "c0d5724ecd05c8236f8663aa4fbd9ef1919d09c5",
	"title": "360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 992706,
	"plain_text": "360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico\r\nPublished: 2020-11-20 · Archived: 2026-04-05 19:04:32 UTC\r\nLearn more about 360 Total Security\r\nRecently, 360 Security Center has detected that a new banking Trojan BBtok has become popular in Mexico\r\nthrough its file-less attack protection function. The Trojan sends a compressed package containing malicious lnk\r\nfiles to users through phishing emails or other means. When the user clicks on the malicious lnk, the carried\r\npowershell script will be activated to execute subsequent attack payloads.\r\nThe overall virus operation process is as follows:\r\nThe content of the opened pdf is as follows:\r\nhttps://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/\r\nPage 1 of 14\n\nAfter BBtok is deployed on the victim’s machine, it will run a backdoor module. The attacker can execute\r\ndifferent malicious functions by issuing control commands, including creating a false bank security detection\r\nwindow to trick the user into entering login credentials, thereby stealing the user’s account password.\r\nFile-less Attack\r\nThe file of Lnk carries malicious powershell commands to trick the user into clicking, activate the malicious code,\r\ndownload and execute the subsequent malicious payload:\r\nhttps://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/\r\nPage 2 of 14\n\nBase64 encrypted and stored the downloaded shellcode. After decryption, it is a Loader written by .Net.\r\nPersistence\r\nLoader will replace winmm.dll in the system directory to realize virus residency and self-start:\r\nWinmm.dll loads malicious dynamic libraries:\r\nhttps://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/\r\nPage 3 of 14\n\nAnti-virus\r\nLoader will then load the anti-virus driver. When the user is a 64-bit system, it uses the open source KDU (Kernel\r\nDriver Utility) to load:\r\nKDU (https://github.com/hfiref0x/KDU) uses a vulnerable driver of legitimate software to access arbitrary kernel\r\nmemory with read/write attributes:\r\nhttps://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/\r\nPage 4 of 14\n\nThe loaded confrontation driver will violently enumerate and remove all registry callbacks:\r\nThen delete all the registry entries of mainstream anti-virus software to make the anti-virus software invalid:\r\nhttps://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/\r\nPage 5 of 14\n\nBypass Antivirus\r\nBBtok extracts the main backdoor control program from the compressed package. Hackers can control the\r\nvictim’s machine by issuing the backdoor instructions in the picture, including window control, process\r\nhttps://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/\r\nPage 6 of 14\n\nmanagement, key logger, clipboard hijacking and other functions.\r\nBanker Trojan\r\nHackers can also choose to simulate different bank false security verification interfacs through backdoor control\r\ncommands, and steal user login credentials for Santander, BanBajio, ScotiaBank, AFIRME, Banregio, Banco\r\nAzteca, Multiva, Inbursa, HSBC, Banorte, CitiBanamex, BBVA, etc.\r\nhttps://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/\r\nPage 7 of 14\n\nThe picture below shows the fake interface 1:\r\nhttps://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/\r\nPage 8 of 14\n\nFake interface 2:\r\nhttps://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/\r\nPage 9 of 14\n\nFake interface 3:\r\nhttps://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/\r\nPage 10 of 14\n\nFake interface 4:\r\nhttps://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/\r\nPage 11 of 14\n\nFake interface 5:\r\nhttps://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/\r\nPage 12 of 14\n\nFake interface 6:\r\nSecurity Advice：\r\n(1) Do not open emails from unknown sources. You should forward such emails to the security department for\r\ninvestigation, and then open them after confirming security.\r\n(2) Using the 360 file-less attack protection function can effectively block malicious scripts, malicious documents,\r\nLOLBins and other file-less attacks.\r\n(3) 360 Total Security can detect and block the latest malicious attacks in time to protect the information security\r\nof users. It is recommended to use the official website.\r\nhttps://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/\r\nPage 13 of 14\n\nMD5:\r\nf0bb745b4ab8b3eb36a5a6bd0c31d9c3\r\nURL:\r\n http[:]//bIt.dO/fJZR3\r\nhttp[:]//diprolisa.mx/archivos/project/a9sid9aisd9\r\nhttp[:]//diprolisa.mx/archivos/pdf\r\nhttp[:]//mexicanagm.mx/contacto/gambler.php\r\nLearn more about 360 Total Security\r\nSource: https://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/\r\nhttps://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/\r\nPage 14 of 14\n\n https://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/    \nBypass Antivirus     \nBBtok extracts the main backdoor control program from the compressed package. Hackers can control the\nvictim’s machine by issuing the backdoor instructions in the picture, including window control, process\n   Page 6 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/"
	],
	"report_names": [
		"360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico"
	],
	"threat_actors": [],
	"ts_created_at": 1775434279,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c0d5724ecd05c8236f8663aa4fbd9ef1919d09c5.pdf",
		"text": "https://archive.orkl.eu/c0d5724ecd05c8236f8663aa4fbd9ef1919d09c5.txt",
		"img": "https://archive.orkl.eu/c0d5724ecd05c8236f8663aa4fbd9ef1919d09c5.jpg"
	}
}