Introduction: Mexican financial institutions are currently facing a severe threat from a spear-phishing campaign employing a modified version of the AllaKore RAT (Remote Access Trojan). Initiated by an unidentified financially motivated threat actor based in Latin America, this campaign, active since 2021, specifically aims at large corporations with revenues exceeding $100 million. In this blog post, we delve into the intricate details of the attack, shedding light on its methods and the potential repercussions for the targeted sectors.
Campaign Overview: The BlackBerry Research and Intelligence Team has identified the spear-phishing campaign, attributing it to an unknown Latin America-based threat actor. The attackers employ sophisticated lures, utilizing Mexican Social Security Institute (IMSS) naming schemas, and distributing benign documents during the installation process. The modified AllaKore RAT payload serves as the primary tool for stealing banking credentials and authentication information, sending them to a command-and-control (C2) server, with a focus on facilitating financial fraud.
Infection Chain: The infection chain kicks off with a ZIP file, disseminated through phishing or drive-by compromises. Inside the ZIP file lies an MSI installer, dropping a .NET downloader responsible for confirming the Mexican geolocation of the victim. Subsequently, the downloader retrieves the altered AllaKore RAT, originally a Delphi-based RAT observed first in 2015. Despite its basic nature, the AllaKore RAT possesses potent capabilities such as keylogging, screen capturing, file upload/download, and even taking remote control of the victim's machine.
Enhancements by Threat Actor: This threat campaign is marked by the introduction of new functions into the AllaKore RAT by the threat actor. These additions focus on commands related to banking fraud, targeting Mexican banks and crypto trading platforms. The modified RAT also exhibits capabilities like launching a reverse shell, extracting clipboard content, and fetching/executing additional payloads. The attacker's ties to Latin America are evident through the use of Mexico Starlink IPs and the inclusion of Spanish-language instructions in the modified RAT payload. Notably, the lures are designed to specifically target companies large enough to report directly to the Mexican Social Security Institute (IMSS).
Persistence and Continuation: The threat actor's persistent targeting of Mexican entities for financial gains has spanned over two years, with no signs of abating. This sustained campaign poses a significant risk to corporations across various sectors, including retail, agriculture, public sector, manufacturing, transportation, commercial services, capital goods, and banking.
Coinciding Developments: In tandem with these revelations, IOActive has identified vulnerabilities in Lamassu Douro bitcoin ATMs that could allow attackers with physical access to take full control of the devices and steal user assets. These vulnerabilities, identified as CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177, were addressed by the Swiss company in October 2023.
Conclusion: As Mexican corporations face an escalating threat from the AllaKore RAT spear-phishing campaign, it is imperative for organizations to bolster their cybersecurity defenses. The financial sector, in particular, must remain vigilant against evolving tactics employed by threat actors. With the threat actor showing no signs of relenting, proactive measures and continuous monitoring are crucial to thwart potential financial fraud schemes orchestrated through AllaKore RAT.
0 Comments