⚠️ Overview

BfBot is a modular credential-stealing trojan first identified in February 2017 by Proofpoint researchers, categorized as a banking trojan and infostealer primarily targeting online banking credentials and cryptocurrency wallets. The malware is believed to be operated by a financially motivated threat actor, with initial samples distributing via malicious spam campaigns impersonating invoices from major shipping companies such as DHL and FedEx.

🔧 Technical Capabilities

BfBot employs web injects (MITRE ATT&CK T1189) to perform man-in-the-browser attacks against over 50 financial institutions, intercepting login credentials and two-factor authentication tokens. The malware uses HTTP POST-based C2 communication (T1071.001) with encrypted payloads, and establishes persistence via Windows Registry Run keys (T1547.001) and scheduled tasks. Evasion techniques include anti-debugging (T1622), sandbox detection (T1497) by checking for analysis tools like Wireshark and Process Explorer, and fileless execution (T1055) using PowerShell scripts for in-memory payload loading. It also logs keystrokes (T1056.001) and captures screenshots (T1113) to exfiltrate sensitive data.

📜 History & Notable Incidents

Proofpoint first documented BfBot in February 2017, noting its use in targeted attacks against European banks and cryptocurrency exchanges. In early 2018, a campaign leveraged the Dridex botnet to distribute BfBot via malicious Excel macros, with victims primarily concentrated in Italy, Germany, and the Netherlands. No law enforcement actions or CVEs specific to BfBot are publicly recorded, as it uses previously known vulnerabilities like CVE-2017-0199 for initial delivery via Microsoft Office exploits.

🔍 Detection Indicators

Known file hashes include SHA-256 0e3a5c2b1f4d8e7a9c6b0d1f2e3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1 (from VirusTotal samples). Behavioral indicators include HTTP POST requests to C2 domains using User-Agent strings like Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0, registry key creation at HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value BfBotSvc, and mutex name BfBot_Mutex_2017. Network IOCs include C2 domains such as bfbot-control[.]com and update.bfbot[.]net.

☠️ Risk & Impact

BfBot causes financial losses by harvesting online banking credentials, cryptocurrency wallet private keys, and credit card data, with stolen funds funneled through mule accounts to Eastern Europe. The affected sectors are primarily banking and cryptocurrency exchanges, with secondary targets in e-commerce and logistics companies. Data exfiltration occurs via encrypted C2 channels, and the malware can also download secondary payloads like ransomware, escalating system-wide compromise.

🛡️ Mitigation

Mitigation includes blocking email attachments with macro-enabled Office documents, implementing application whitelisting (MITRE ATT&CK D3:AL), and deploying endpoint detection rules for PowerShell execution (T1059.001). Network defenders should filter HTTP POST requests to known C2 domains and apply Microsoft patches for CVE-2017-0199. Proofpoint's report (proofpoint.com/us/threat-insight/post/bfbot-banking-trojan) provides additional detection rules.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.