A new spear-phishing campaign delivering a modified version of an open-source remote access trojan called AllaKore RAT is targeting Mexican financial institutions, according to a report by the BlackBerry Research and Intelligence Team.
This activity has been attributed to an unknown Latin American-based financially motivated threat actor and has been active since at least 2021. The campaign uses lures that imitate the naming schemas of the Mexican Social Security Institute (IMSS) and include links to legitimate, benign documents during the installation process. The payload of the AllaKore RAT is modified to enable the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.
The attacks appear to be specifically targeting large companies with gross revenues over $100 million, spanning various sectors including retail, agriculture, public sector, manufacturing, transportation, commercial services, capital goods, and banking. The infection chain begins with a ZIP file distributed via phishing or a drive-by compromise, containing an MSI installer file that drops a .NET downloader responsible for confirming the Mexican geolocation of the victim and retrieving the modified AllaKore RAT.
BlackBerry stated that the AllaKore RAT has the capability to keylog, screen capture, upload/download files, and take remote control of the victim’s machine. The new functions added to the malware include support for commands related to banking fraud, targeting Mexican banks and crypto trading platforms, launching a reverse shell, extracting clipboard content, and fetching and executing additional payloads.
The threat actor’s links to Latin America are evident through the use of Mexico Starlink IPs in the campaign and the addition of Spanish-language instructions to the modified RAT payload. Furthermore, the lures employed only work for companies that are large enough to report directly to the Mexican Social Security Institute (IMSS) department.
BlackBerry revealed that this threat actor has been persistently targeting Mexican entities for over two years for financial gain without showing any signs of stopping. These findings come in the wake of the identification of three vulnerabilities in the Lamassu Douro bitcoin ATMs by IOActive, which could allow an attacker with physical access to take full control of the devices and steal user assets. The issues were fixed by the Swiss company in October 2023.
The rise in cyber attacks targeting financial institutions and the various sectors in Mexico underscores the need for enhanced cybersecurity measures to protect sensitive information and assets from falling into the wrong hands. The sophistication and persistence of such threat actors highlight the importance of remaining vigilant and proactive in implementing robust security protocols and training to mitigate the risks posed by these malicious activities.