A hard look at BBTok
Essential information
- Published
- 26/09/2024 12:55
- Modified
- 26/09/2024 13:10
- Tags
- 2024-09-26 bbtok
- Related entities
- 19 observables, 1 intrusion sets (apt), 19 techniques (mitre), 1 malware, 1 others
Description
This analysis dissects the infection chain of BBTok, a Brazilian-targeted threat. The malware utilizes an ISO image containing a shortcut file and various components. It employs the Microsoft Build Engine to compile and execute malicious C# code on the victim's machine. The core component, Trammy.dll, is obfuscated using ConfuserEx and utilizes AppDomain Manager Injection for execution. The malware creates a log file, gathers system information, and establishes persistence through scheduled tasks and service creation. It downloads additional components, including CCProxy for traffic manipulation, and a Delphi payload. The attack specifically targets Brazilian IP addresses and employs evasion techniques to avoid detection.
External references
- https://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader
- https://www.gdatasoftware.com/fileadmin/_processed_/6/4/G_DATA_Blog_Brazil_Malware_Assy_Preview_1f58acec09.jpg
- https://feeds.feedblitz.com/~/905243510/0/gdatasecurityblog-en~BBTok-Targeting-Brazil-Deobfuscating-the-NET-Loader-with-dnlib-and-PowerShell
- https://otx.alienvault.com/pulse/66f559b0764408b3e69464ed