Banking Trojans: Mekotio and BBTok Ramp Up Phishing Scams in Latin America
Mekotio and BBTok. These malware variants, long known for targeting Latin American users, have adopted new tactics to evade detection and exploit victims.
Introduction
On September 5, 2024, TrendMicro released a detailed report on the resurgence of two notorious banking Trojans: Mekotio and BBTok. These malware variants, long known for targeting Latin American users, have adopted new tactics to evade detection and exploit victims. The cybercriminal groups behind them have ramped up phishing campaigns using business and judicial-related lures, expanding their reach beyond previous targets.
Report Overview
Mekotio, first detected in March 2018, has primarily targeted Brazil but has since expanded to include other Latin American countries such as Chile, Mexico, Colombia, and Argentina. The Trojan's evolution suggests the criminals behind it are exploring new geographical targets. BBTok, discovered in 2020, similarly focuses on Latin American financial institutions and shares common target regions with Mekotio.
Both Trojans are typically distributed through phishing emails containing malicious links or attachments. These emails impersonate legitimate organizations to trick users into downloading malware that can steal sensitive banking credentials, conduct unauthorized transactions, and more.
Mekotio has recently introduced more advanced evasion techniques, including the obfuscation of PowerShell scripts used to initiate the malware infection. The infection process begins when a victim clicks a malicious link in a phishing email, triggering the download of a ZIP file containing an obfuscated batch file. This batch file, when executed, runs a PowerShell script that connects to a secondary URL to download additional malware or steal data.
BBTok, on the other hand, uses a phishing link to deliver an ISO file containing a malicious LNK file. This file initiates the infection by launching MSBuild.exe, a legitimate Windows utility. By leveraging this trusted tool, attackers can avoid detection while executing malicious scripts and DLL payloads that connect to a command-and-control (C&C) server.
These banking Trojans pose significant risks to individuals and businesses alike. Mekotio and BBTok are designed to steal sensitive financial information, leading to unauthorized transactions, data theft, and potentially crippling financial losses. Mekotio’s new tactics, particularly its ability to adapt based on the compromised system’s location, indicate that the Trojan’s scope may expand beyond Latin America, potentially impacting victims worldwide.
Our research has also shown that manufacturing companies were the hardest hit by these phishing attacks in August 2024, accounting for 26% of all incidents. Retail businesses, technology enterprises, and financial services were also significantly targeted. The broader implications suggest a growing need for businesses to bolster their defenses against increasingly sophisticated phishing attacks.
Insights and Analysis
To protect against these evolving threats, organizations should:
- Implement advanced threat detection and zero-trust security frameworks.
- Educate employees on phishing tactics and how to identify suspicious emails.
- Regularly update security protocols and ensure that email filters and anti-spam tools are activated.
- Encourage employees to verify the legitimacy of emails, especially those involving financial or legal matters.
For individual users, the following practices are essential:
- Be wary of unsolicited emails and verify the sender’s identity.
- Avoid clicking on suspicious links or downloading unverified attachments.
- Use reputable anti-spam software and email filters.
- Report phishing attempts to IT teams or security personnel.
Mekotio and BBTok continue to be formidable threats in Latin America, employing sophisticated tactics to steal sensitive financial information. Businesses and individuals alike must adopt proactive measures to defend against these banking Trojans. Strengthening security protocols, increasing employee awareness, and maintaining vigilance against phishing emails are critical steps in mitigating the risks posed by these evolving threats.
Indicators of Compromise (IoCs)
| Indicator | Type | Description |
|---|---|---|
| 3c15b6eba84e2a3551b6af19ad0ab651d2f1594f | SHA1 | Trojan.BAT.MEKOTIO.B |
| a4dd8adc9b7b282700bec089f3204eccb64d2c0e | SHA1 | Mekotio-related hash |
| 09672e9208fd30511ed8d779f5769b159116c88b | SHA1 | Mekotio-related hash |
| e8e3e4eaff9d523b9c51c546989e636ee29558ef | SHA1 | Mekotio-related hash |
| 50e471381a14a8c728a54294d75797163ce6922e | SHA1 | Mekotio-related hash |
| 6db84b5801a8051f50fa0cc892f73d019188da80 | SHA1 | Mekotio-related hash |
| 88379ac5a62950c9a8c61ec6c8dfb3d8b532c662 | SHA1 | Mekotio-related hash |
| d1964a6fe0edb2af4c3e86ab829ed7d527de4f23 | SHA1 | Mekotio-related hash |
| f9f43ae7f455bdaddc0ace89cf1e7458e9963a38 | SHA1 | Mekotio-related hash |
| 0199e31719ee5d611385af31fb3821d40473a46f | SHA1 | Mekotio-related hash |
| 0a9bba01290233999c9298605cb878bf20296087 | SHA1 (PowerShell) | Trojan.PS1.MEKOTIO.AA |
| 475f48c149dd9bf4ce5246538425e1f87505b83c | SHA1 (PowerShell) | Mekotio-related PowerShell script |
| hxxps://crgaestudiojuridicoujko.isa-geek[.]net | URL | Mekotio-related phishing URL |
| hxxps://c0m45f8wfr0AXxwGObF8IXlakEaMcnkU4UFVlNlOkhUqjYCVBhrMX2nruV1p.b-cdn[.]net | URL | Mekotio-related phishing URL |
| hxxp://50[.]62[.]182[.]1/contadores/37[.]148[.]205[.]26:9095 | URL | Mekotio-related malicious server |
| a2d7127d6708ee44aec1ab602b11f89956e8d39d | SHA1 | Trojan.MSIL.BBTOK.A |
| 67e01ea92f0dd5840744f62b79a219fd75301b16 | SHA1 | BBTok-related hash |
| acd04413c6432fd3ffa37ef33bb983d2a7b575eb | SHA1 | BBTok-related hash |
| 5b7ed30b3639e2514f7b2fc0e3f9515a539ba287 | SHA1 | BBTok-related hash |
| 4638cf376eeef422ba1c865891a2b00150bdeed4 | SHA1 | Trojan.MSIL.BBTOK.A |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | Mekotio uses obfuscated PowerShell scripts to execute its malware. |
| Execution | Execution through Module Load | T1129 | BBTok uses MSBuild.exe to execute malicious code via a legitimate Windows utility. |
| Persistence | Create or Modify System Process: Windows Registry | T1547.001 | Mekotio and BBTok create registry keys to ensure persistence. |
| Defense Evasion | Obfuscated Files or Information | T1027 | Mekotio uses obfuscated batch files and PowerShell scripts to avoid detection. |
| Defense Evasion | Masquerading | T1036 | BBTok uses LNK files disguised as PDF documents to evade detection. |
| Defense Evasion | Abuse Elevation Control Mechanism: Bypass User Account Control | T1548.002 | BBTok leverages legitimate utilities like MSBuild.exe to evade detection and gain elevated privileges. |
References
https://documents.trendmicro.com/images/TEx/Mekotio-and-BBTok-IOCsktvYaQ0.txt
Comments ()