BBTok Targeting Brazil: Deobfuscating the .NET Loader with dnlib and PowerShell
Sept. 27, 2024, 5:47 p.m.
Description
This analysis dissects the infection chain of BBTok, a Brazilian-targeted threat. The malware utilizes an ISO image containing a shortcut file and various components. It employs the Microsoft Build Engine to compile and execute malicious C# code on the victim's machine. The core component, Trammy.dll, is obfuscated using ConfuserEx and utilizes AppDomain Manager Injection for execution. The malware creates a log file, gathers system information, and establishes persistence through scheduled tasks and service creation. It downloads additional components, including CCProxy for traffic manipulation, and a Delphi payload. The attack specifically targets Brazilian IP addresses and employs evasion techniques to avoid detection.
Date
| Published | Created | Modified |
|---|---|---|
| Sept. 26, 2024, 12:55 p.m. | Sept. 26, 2024, 12:55 p.m. | Sept. 27, 2024, 5:47 p.m. |
Attack Patterns
BBTok
BBTok
T1547.006
T1543.003
T1497.002
T1053.005
T1027.002
T1497.001
T1059.003
T1059.001
T1012
T1518.001
T1562.001
T1204.002
T1082
T1105
T1205
T1055
T1140
T1027
T1112
Additional Informations
Brazil