Phishing
Famous Mekotio and BBTok are showing up again focusing on Latin American users. The newest version of Mekotio implies the group responsible for it is widening their scope, while BBTok is exploiting MSBuild.exe to avoid detection.
Read time: ( words)
Summary:
- Latin American regions are witnessing a surge in phishing schemes distributing banking Trojans like famous Mekotio, BBTok, and Grandoreiro
- Criminals responsible for these notorious banking Trojans are utilizing judicial-themed phishing emails in addition to the traditional business baits to prey on victims.
- Our inquiry on Mekotio suggests that there is a likelihood of cybercriminals expanding their targets outside of Latin America
An alarming increase in highly advanced phishing attacks attempting to breach financial systems throughout the Latin American region has been noticed through our monitoring. Banking fraud programs including popular BBTok, Mekotio, and Grandoreiro are resurging to steal confidential banking credentials and execute unauthorized transactions. In this article, we explore the developing phishing strategies employed by Mekotio and BBTok, with an examination of their recent campaigns.
The Latin American regions are observing a rise in phishing schemes utilizing two forms of enticements: business transactions and judicial-related transactions.
Business transaction phishing schemes, as their name indicates, manipulate the trust linked with professional communications by posing as one. Proven strategies continue to yield results: embedded hyperlinks in emails direct to counterfeit business websites where users are instructed to downloadmalicious software. Crafting trojans in harmful PDF and ZIP files transferred to target systems remains a successful method to contaminate individuals.
Simultaneously, cyber offenders are enticing victims with phishing schemes alleging they possess traffic violations; these manipulate fear and haste linked to official legal notifications. Cyber offenders imitate genuine communications from law enforcement informing victims of false speeding tickets or other unlawful complaints that coerce them to proceed and click on links without care. These phishing schemes frequently include links directing to counterfeit websites where victims unknowingly obtain malicious software onto their devices. Judicial-related transaction lures also deploy harmful PDF and CIP file attachments that, upon downloading and execution, contaminate a victim’s device.
Both forms of attacks try to circumvent a user’s typical security measures by leveraging a false sense of urgency concerning legal and financial issues that urge them to make quick and detrimental choices.
Our telemetry from August 2024 illustrates that cyber offenders utilizing business transaction and traffic violation phishing schemes predominantly target manufacturing firms, constituting 26% of the total attacks we identified. Retail was also substantially impacted, representing 18% of incidents, followed by enterprises in the technology and financial services sectors with 16% and 8% of the attacks correspondingly. These types of phishing assaults are most likely to disseminate banking Trojans Mekotio, BBTok, and Grandoreiro. In the ensuing section, we delve into how Mekotio and BBTok operate to exploit Latin American victims.
Mekotio and BBTok mainly focus on the Latin American region. Mekotio, which was initially identified in March 2018, has shifted from targeting Brazilian users and banks to encompass other Spanish-speaking nations like Chile, Mexico, Columbia, and Argentina, along with parts of Southern Europe, encompassing Spain. Our examination also indicates that cyber offenders behind Mekotio aim to expand their victimology geographically. Conversely, BBTok, first noticed in 2020, narrows its focus to the Latin American financial domain, yet shares common geographical targets with Mekotio such as Brazil, Chile, Mexico, and Argentina.
Mekotio is primarily distributed through phishing emails with harmful attachments, rendering it a versatile and enduring threat in the area. Our research reveals that it implements a novel technique where the trojan’s PowerShell script is now obscured, augmenting its evasion capabilities.
BBTok, on the other hand, is typically spread through phishing emails with harmful attachments, but recent campaigns employ phishing links to download ZIP or ISO files containing LNK files that initiate the infection process. BBTok’s advanced features for credential theft and data exfiltration position it as a formidable threat in the region. Another recently observed technique employed by BBTok involves embedding the DLL payload directly within the downloaded ISO file.
Mekotio’s latest iteration broadens targets geographically
Upon clicking a URL in the phishing email, a victim is directed to a crafted malevolent website meant to trigger the download of a ZIP file. Inside this ZIP file rests an obscured batch file engineered to outmaneuver security tools and cloak its malevolent payload. Executing the batch file initiates a PowerShell script functioning as a second-stage downloader. This script subsequently establishes a connection to a secondary URL, enabling further phases of the assault, such as downloading additional malware or exfiltrating sensitive data.
TÉCNICA DE ATAQUE
The alternative URL shelters a different masked PowerShell script purposed for adjusting its conduct in alignment with the particular setting it has breached. Upon initiation, this script conducts multiple exploratory scrutinies to amass pivotal details about the infiltrated system: Initially, it inspects the public IP address of the system to recognize its network location. Subsequently, it employs geolocation amenities to specify the country where the device is positioned.
It further accumulates essential system particulars, comprising the machine designation and the username of the currently logged-in user to get a finer grasp of the environment it has seized. Additionally, the script verifies any existent antivirus software and establishes the operating system edition to personalize its ensuing maneuvers and avert detection.
Our examination reveals that this variation of Mekotio under scrutiny features a PowerShell script that excludes a national assessment attribute, contrasting with earlier renditions of Mekotio. Formerly, the malware would advance solely with its malevolent operations if the invaded system was located in one of the ensuing countries: Brazil, Chile, Spain, Mexico, or Peru. Nonetheless, this novel variant seems to adopt a revised targeting tactic, potentially broadening its focus by adapting its actions in accordance with a wider array of geographies.
Upon the completion of the environmental inspections, the malware continues to retrieve another compressed ZIP archive containing the ultimate payload. This package encompasses AutoHotKey.exe, an AutoHotKey script, and the Mekotio DLL. These elements are utilized to enforce the conclusive phase of the assault, enabling the malware to enact its intended malevolent deeds on the seized system.
To guarantee continuity, an entry in the autorun registry is also implemented, enabling the malware to automatically trigger upon system boot-up and sustain an anchor on the infected apparatus.
BBTok utilizes authentic Windows utility command for elusion
When a target clicks on the corrupt link embedded in the deceitful email, this triggers the retrieval of an ISO file that encompasses malevolent components, including a shortcut file that, upon execution, instigates the infection chain, initializing the deployment of malevolent scripts. Concurrently, a camouflage document is opened to distract the target’s focus, diminishing suspicion and augmenting the likelihood of a victorious breach.
The progression of the infection chain unfurls when the LNK file sparks the execution of MSBuild.exe, ensconced within the ISO file. MSBuild.exe then loads the contents of a malicious XML file concealed within the ISO collection. By leveraging the bona fide Windows utility MSBuild.exe, perpetrators can execute the malevolent code while dodging detection.
Post being engaged by MSBuild.exe, the XML file steers the creation and execution of a malevolent DLL file utilizing rundll32.exe. This act establishes a linkage with the attacker’s Command-and-control (C&C) server, empowering additional authority over the compromised system. The XML file further launches a bait file and retrieves the directory of the ZIP file, preparing the groundwork for subsequent actions.
The procedure involves establishing a folder where the ZIP file will be duplicated, followed by the creation and validation of a mutex as a sign of infection. The ZIP file is then decompressed, and adjustments are made to the system registry to ensure the DLL file from the ZIP is launched upon system startup, providing continuity for the malware.
Subsequently, the uncompressed files, containing the malevolent BBTok DLL typically titled Brammy.dll or Trammy.dll, are executed, advancing the assault and distributing additional payloads.
The increased phishing schemes aimed at Latin American individuals to pilfer sensitive banking login details and carry out illegal financial operations emphasize the critical necessity for strengthened cybersecurity protocols against the progressively refined techniques utilized by cyber offenders. These trojans are becoming more adept at avoiding detection and acquiring confidential data, while the perpetrator organizations are becoming more brazen in their targeting of larger demographics for enhanced revenue.
We advise businesses to fortify their cybersecurity frameworks by integrating state-of-the-art threat identification systems, routinely refreshing security measures, and educating staff on identifying and tackling phishing endeavors. A proactive and mistrustful approach to cybersecurity will aid in alleviating potential threats and protecting financial systems against these evolving dangers.
By adhering to proper security practices, individuals can safeguard themselves against threats primarily disseminated through emails. These measures include:
- Maintaining skepticism towards unsolicited emails; confirming the sender’s authenticity and email address, scrutinizing content for spelling and grammar errors, and analyzing subject lines
- Refraining from clicking on links and downloading attachments whose content is unverified
- Verifying URLs by hovering over links and avoiding attachment downloads unless sender identity is certain
- If an email seems suspicious, directly contacting the sender via an alternate platform using verified contact information to confirm their identity, and cross-checking the email against prior communications
- Utilizing email filters and anti-spam applications
- Ensuring that spam filters and other security utilities are activated and up-to-date
- Reporting phishing attempts to respective IT and security departments upon encounter
- Organizations should also educate their workforce on phishing strategies and social engineering tactics, alongside conducting regular phishing awareness training sessions
As of now, all Indicators of Compromise (IoCs) have been identified and blocked. The IoC list can be accessed here.
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
About Author
