David García Jan 7, 2021 3 min read

BBTOK: malware focused on infection and credential theft of Mexicans

BBtok is a new banking trojan whose authors seem to be focused, at least for the time being, on infecting and stealing the credentials of Mexican users. In the event that the victim who executes the dropper sent by email does not use a Mexican connection, it will not continue with the download and installation of the second dropper and the rest of the modules.

The Portuguese strings found in the trojan's binary, the use of Delphi as the main language of the banker and the use of libraries already used in other Brazilian banking malware such as Grandoreiro suggest that this new malware could have been developed by Brazilian attackers.

Nor can we rule out the possibility that it's a new variant of Grandoreiro, developed by the attackers themselves, and that they may even be moving towards a Malware-as-a-Service (MaaS) business model, in which they market the malware so that the buyers are the ones who exploit it and infect the end users. In fact, it's likely that BBtok isn't a new family as such, and is actually a new version of Grandoreiro.

For the time being, the attackers' interest seems to reside in Mexican users, but as has happened in the past with other families, such as Pazera/Mekoito or Grandoreiro itself, it's likely that over time we will begin to see new versions in which the list of affected entities is expanded, including entities from other Latin American countries and Spain. We must be on the lookout for these new versions that will most likely arrive in the coming months.

Take a look at our report you can download from here.


David García

In his more than 9-year professional career, he has been involved in multiple projects, the most important being in the fields of managed security, anti-fraud and ethical hacking services, and malware analysis. He has contributed his know-how and security-related improvements to a wide variety of fraud and vulnerability analysis products. He currently oversees the smooth running of our different products and researches current fraud developments in order to showcase buguroo overseas as well as providing the development department with feedback on the latest malware and cybercriminal trends.