Phishing
The infamous Mekotio and BBTok are making a comeback by focusing on Latin American users. Recent developments with Mekotio’s malware variant indicate an expansion in their target range, while BBTok is utilizing MSBuild.exe in an evasive manner.
Read time: ( words)
Synopsis:
- The Latin Americas are witnessing a surge in phishing schemes involving banking malwares like the notorious Mekotio, BBTok, and Grandoreiro
- Criminals responsible for these established banking malwares are leveraging deceitful judicial-themed phishing emails alongside traditional business baits to target victims.
- Our probe into Mekotio implies that criminals are likely extending their reach beyond the Latin Americas
Our surveillance has unveiled a concerning uptick in highly sophisticated phishing attempts aimed at compromising financial infrastructures throughout the Latin American zone. The revival of banking malwares such as notorious BBTok, Mekotio, and Grandoreiro intends to seize confidential banking data and execute illicit transactions. In this article, we delve into the evolving phishing strategies utilized by Mekotio and BBTok, scrutinizing their recent operational campaigns.
We have observed a rise in phishing ruses within the Latin Americas employing two main enticements: business dealings and judicial-themed transactions.
Business-oriented phishing ruses exploit the credibility tied to professional communication, masquerading as legitimate entities. Established ploys continue to be effective: email links direct users to fake corporate sites urging them to downloadmalicious software. Embedding trojans in harmful PDF and ZIP files that are transferred to targeted machines remains a potent method to contaminate individuals.
Meanwhile, cyber delinquents are enticing victims through scam emails purporting traffic infringements; these capitalize on the anxiety and urgency associated with authentic legal declarations. Impersonating genuine correspondences from law enforcement warning victims of fictitious speeding offenses or other illegal indictments that urge them to respond and click on links hastily. These scam emails frequently contain links redirecting to forged websites where victims unwittingly download malicious software onto their machines. Legal-themed deception lures also employ harmful PDF and CIP file attachments which, upon download and execution, infiltrate a victim’s device.
Both forms of assaults strive to circumvent a user’s regular security measures by manipulating a false sense of urgency on legal and fiscal matters that prompt them to take rapid and detrimental actions.
Our data from August 2024 illustrates that cybercriminals utilizing commercial transaction and traffic violation phishing schemes predominantly target manufacturing firms, representing 26% of the total incidents identified. Retail was also substantially impacted, constituting 18% of occurrences, followed by businesses in the technology and financial service sectors with 16% and 8% of the assaults respectively. These sorts of phishing campaigns are most inclined to proliferate banking Trojans such as Mekotio, BBTok, and Grandoreiro. In the subsequent segment, we delve into the operational methods of Mekotio and BBTok in focusing on Latin American victims.
Mekotio and BBTok predominantly focus on the Latin American realm. Mekotio, initially uncovered in March 2018, has transitioned from concentrating on Brazilian users and banks to encompass other Spanish-speaking nations such as Chile, Mexico, Columbia, and Argentina, in addition to portions of Southern Europe, specifically Spain. Our study also implies that the cyber felons behind Mekotio are exploring geographic diversification in their victim targeting. In contrast, BBTok, initially identified in 2020, hones in on the Latin American banking sector but shares mutual target regions with Mekotio like Brazil, Chile, Mexico, and Argentina.
Mekotio is chiefly disseminated through scam emails with perilous attachments, rendering it a versatile and enduring menace in the area. Our examinations uncover a new tactic where the trojan’s PowerShell script is now obscured, augmenting its capacity to elude detection.
BBTok, conversely, is generally dispensed through scam emails containing harmful attachments, although recent campaigns utilize phishing links to retrieve ZIP or ISO files harboring LNK files that activate the infection process. BBTok’s sophisticated functionalities for pilfering credentials and extracting data render it a formidable menace in the region. An innovative technique observed with BBTok involves embedding the DLL payload directly within the downloaded ISO file.
Mekotio’s latest variant broadens its geographic targets
Upon clicking a link in the scam email, a victim is redirected to a malevolent website crafted to trigger the downloading of a ZIP file. Within this ZIP archive lies an obscured batch file crafted to dodge security tools and cloak its malevolent payload. The execution of the batch file triggers a PowerShell script serving as a secondary downloader. This script establishes a connection to a secondary URL, facilitating further stages of the assault such as the installation of supplementary malware or the extraction of sensitive information.
Employing a PowerShell directive
The secondary link contains an obscured PowerShell command script tailored to adjust its behavior according to the specific infiltrated environment. When executed, this script conducts various reconnaissance assessments to accumulate essential data about the compromised system: Initially, it verifies the system’s public IP address to pinpoint its network whereabouts. Then, it utilizes geolocation services to ascertain the country of the device’s location.
Furthermore, it collects fundamental system details such as the device name and the currently logged-in user’s username to enhance its understanding of the compromised environment. Additionally, the script examines for any active antivirus software and detects the operating system version to customize its subsequent actions and avoid detection.
Our research on this version of Mekotio reveals a PowerShell script that lacks the feature of comparing countries, diverging from the pattern observed in prior Mekotio versions. Previously, the malware would progress only if the compromised system was located in specific countries like Brazil, Chile, Spain, Mexico, or Peru. Conversely, this new iteration seems to have altered its targeting methodology, potentially expanding its reach by adjusting its strategies based on a broader range of geographical locations.
Once the environment checks are completed, the malware proceeds to download a ZIP archive containing the final payload. This archive encompasses AutoHotKey.exe, an AutoHotKey script, and the Mekotio DLL. These components are instrumental in executing the final phase of the attack, allowing the malware to carry out its intended malicious operations on the compromised system.
For persistent access, an automatic execution registry entry is established. This ensures that the malware initiates upon system startup, maintaining a firm grip on the infected system.
BBTok employs genuine Windows utility command to bypass detection
When an unsuspecting user clicks on the deceitful link within a phishing email, it triggers the download of an ISO file containing malicious elements, including an LNK file. Upon execution, this LNK file instigates the infection chain, commencing the deployment of malevolent scripts. Simultaneously, a decoy document is unveiled to distract the user, reducing suspicion and elevating the likelihood of a successful compromise.
The infection progression ensues as the LNK file prompts MSBuild.exe execution stored within the ISO file. MSBuild.exe then reads the contents of a hidden malevolent XML file within the ISO archive. By leveraging the legitimate Windows utility MSBuild.exe, threat actors execute their harmful code while bypassing detection.
Following MSBuild.exe execution, the XML file directs the creation and activation of a malicious DLL through rundll32.exe. This step establishes a connection with the attacker’s Command-and-control (C&C) server, granting further control over the compromised system. The XML file also unveils a lure file and retrieves the ZIP file’s directory, paving the way for subsequent actions.
The procedure entails constructing a directory where the ZIP file will be replicated, proceeded by the establishment and validation of a mutex as an infection marker. Subsequently, the ZIP file is decompressed, and adjustments are applied to the system registry to guarantee the execution of the DLL file from the ZIP during system startup, ensuring persistence for the malware.
Ultimately, the extracted files, including the malicious BBTok DLL typically labeled Brammy.dll or Trammy.dll are executed, perpetuating the assault and deploying supplementary payloads.
More intricate phishing schemes focusing on Latin American individuals to pilfer critical banking credentials and carry out illicit banking operations emphasize the imperative requirement for bolstered cybersecurity measures against progressively sophisticated techniques employed by cyber offenders. These trojans have become adept at eluding detection and filching confidential information while the syndicates orchestrating them grow more audacious in targeting larger demographics for amplified financial gains.
We advocate for enterprises to fortify their cybersecurity fortifications by implementing advanced threat detection systems, routinely updating security protocols, and educating personnel on detecting and responding to phishing endeavors. A proactive and distrustful approach to cybersecurity will aid in mitigating the threats and safeguarding financial frameworks against these evolving perils.
By adhering to sound security practices, users can shield themselves from perils typically disseminated via electronic mail. These consist of:
- Maintain skepticism towards unsolicited emails; verify the sender’s credentials and email address, scrutinize spelling and grammar, and inspect subject lines meticulously
- Refrain from interacting with unconfirmed links and downloads from attachments of dubious origin
- Hover over hyperlinks to validate URLs and avoid downloading attachments unless the sender’s credentials are unequivocally verified
- In case of suspicions of malicious emails, directly communicate with the sender via a different platform utilizing confirmed contact information to validate identity, and cross-reference the email with prior correspondence
- Employ email filters and anti-spam utilities
- Ensure that spam filters and other security utilities are operational and up-to-date
- Report phishing endeavors to respective IT and security departments upon encountering them
- Organizations should educate their workforce on phishing and social engineering stratagems, and conduct regular phishing awareness sessions
As of now, all Indicators of Compromise (IoCs) have been identified and thwarted. The list of IoCs can be accessed here.
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
About Author
