Mexican financial institutions I'm in the crosshairs of a new spear-phishing campaign which distributes a modified version of an open-source remote access Trojan called AllaKore RAT.
The report of the well-known BlackBerry company on the AllaKore RAT
The BlackBerry Research and Intelligence Team attributed the activity to an unknown, financially motivated threat actor based in Latin America; according to experts, this campaign has been active since at least 2021.
“The decoys use naming schemes from the Mexican Institute of Social Security (IMSS) and links to legitimate and benign documents during the installation process“, has declared the Canadian company in an analysis published earlier this week, and then added: “The AllaKore RAT payload is heavily modified to allow threat actors to send stolen banking credentials and unique authentication information to a command and control (C2) server for financial fraud purposes”.
The attacks appear to be specially designed to target large companies with gross revenues exceeding $100 million; therefore the entities that are targeted by this attack They range across various sectors such as retail, agriculture, public sector, manufacturing, transportation, business services, consumer goods, and banking sectors.
The infection chain begins with a ZIP file distributed via phishing or drive-by compromise, containing an MSI installation file that releases a .NET downloader responsible for confirming the victim's Mexican geolocation and recovering AllaKore RAT modifieda Delphi-based RAT that first appeared in 2015.
“AllaKore RAT, although quite basic, It has the powerful ability to record keyboards, capture screenshots, upload/download files and even take remote control of the victim's machine“said BlackBerry.
New features added to the malware by the threat actor include support for commands related to bank fraud, targeting Mexican banks and cryptocurrency trading platforms, launching a reverse shell, extracting clipboard contents, and fetching and executing additional payloads.
The threat actor's links to Latin America come from the use of Mexico's Starlink IP addresses used in the campaign, as well as the addition of Spanish-language instructions to the modified RAT payload and on top of that, the baits that have been used only work for companies large enough to report directly to the department of the Mexican Institute of Social Security (IMSS).
“This cyber criminal [o criminali informatici] has [o hanno] persistently targeted Mexican entities for financial gain purposes“, the company said. “This activity has continued for over two years and shows no signs of stopping“.
The findings come as IOActive has identified three vulnerabilities in Lamassu Douro bitcoin ATMs (CVE-2024-0175, CVE-2024-0176 and CVE-2024-0177) which could allow an attacker with physical access to take complete control of devices and steal user assets.
The attacks are made possible by exploiting the software update mechanism of ATMs and the device's ability to read QR codes to deliver its own malicious file and trigger the execution of malicious code; but in all this it should be noted that there were problems resolved by the Swiss company in October 2023.
#AllaKore #RAT #malware #attacking #Mexican #companies
