Today > 1 Critical | 3 High | 6 Medium vulnerabilities   -   You can now download lists of IOCs here!

BBTok Targeting Brazil: Deobfuscating the .NET Loader with dnlib and PowerShell

Sept. 27, 2024, 5:47 p.m.

Description

This analysis dissects the infection chain of BBTok, a Brazilian-targeted threat. The malware utilizes an ISO image containing a shortcut file and various components. It employs the Microsoft Build Engine to compile and execute malicious C# code on the victim's machine. The core component, Trammy.dll, is obfuscated using ConfuserEx and utilizes AppDomain Manager Injection for execution. The malware creates a log file, gathers system information, and establishes persistence through scheduled tasks and service creation. It downloads additional components, including CCProxy for traffic manipulation, and a Delphi payload. The attack specifically targets Brazilian IP addresses and employs evasion techniques to avoid detection.

Date

Published: Sept. 26, 2024, 12:55 p.m.

Created: Sept. 26, 2024, 12:55 p.m.

Modified: Sept. 27, 2024, 5:47 p.m.

Attack Patterns

BBTok

BBTok

T1547.006

T1543.003

T1497.002

T1053.005

T1027.002

T1497.001

T1059.003

T1059.001

T1012

T1518.001

T1562.001

T1204.002

T1082

T1105

T1205

T1055

T1140

T1027

T1112

Additional Informations

Brazil