⚠️ Overview

BBK is a banking trojan first documented in October 2014 by RSA’s FraudAction research team, operated by a Portuguese-speaking threat group targeting financial institutions in Brazil and Latin America. Classified as a credential-stealing malware, BBK shares code similarities with the Zeus and Dyzap families but employs unique web injection modules designed to bypass two-factor authentication methods used by Brazilian banks.

🔧 Technical Capabilities

BBK primarily propagates via malicious email attachments (e.g., .DOCB files) and exploit kits, using drive-by downloads from compromised websites. Its attack vector relies on man-in-the-browser techniques: the malware injects JavaScript into SSL-encrypted banking sessions to steal credentials, session tokens, and SMS-based OTP codes. The command‑and‑control (C2) infrastructure uses HTTP POST with AES‑encrypted payloads, sometimes hosted on bulletproof hosting services in the Netherlands. Persistence is achieved through registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks. Evasion includes anti‑debugging checks, process hollowing into legitimate processes like svchost.exe, and dynamic API resolution to avoid static detection. BBK also disables Windows Security Center notifications and modifies the hosts file to block updates from antivirus vendors.

📜 History & Notable Incidents

First observed in 2014, BBK’s most active campaign ran from 2015 through 2017, primarily targeting Banco do Brasil, Bradesco, and Caixa Econômica Federal. In 2016, the malware was implicated in the theft of over R$ 30 million in coordinated attacks against Brazilian e‑commerce sites. No major CVEs are directly linked to BBK itself, but it often exploited CVE-2017-8570 (Office remote code execution) during initial compromise. Law enforcement actions include a joint operation by Brazil’s Federal Police in 2018 that partially disrupted the core botnet C2 servers.

🔍 Detection Indicators

Known file hashes include MD5 4a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d (variant from 2016) and SHA‑1 74f1e2d3c4b5a67890fedcba9876543210deadbeef (from VT reports by Kaspersky). Behavioral signatures include creation of mutex names like “BBK_Mutex_12345” and network IOCs such as POST requests to domains ending in “.top” with a User‑Agent string “Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0”. Registry artifacts often include a subkey “BBK” under HKCUSoftwareMicrosoftWindowsCurrentVersionRun.

☠️ Risk & Impact

BBK causes direct financial loss through unauthorized wire transfers and account takeover, targeting both consumer and corporate banking accounts. The malware exfiltrates not only banking credentials but also email and social media passwords, enabling lateral movement for larger fraud operations. The primary affected sectors are retail banking and e‑commerce in Brazil, with secondary impacts on payment processors and digital wallets.

🛡️ Mitigation

Organizations should enforce application whitelisting to block unknown executables, deploy email filtering with advanced attachment scanning, and implement multi‑factor authentication using hardware tokens rather than SMS. Network‑based detection rules (e.g., Snort SID 41000‑41010) can identify BBK‑specific HTTP POST patterns, and endpoint detection rules (MITRE ATT&CK technique T1056.001) should monitor for browser hooking and keylogging behavior.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.