Mexican financial institutions are being monitored by a new spear phishing campaign that delivers a modified version of an open-source remote access Trojan called AllaKore RAT.
BlackBerry Research and Intelligence teams attribute this activity to an unknown Latin American threat actor who is financially motivated. The campaign has been active since at least 2021.
“The decoy uses the Mexican Institute of Social Security’s (IMSS) naming pattern and links to legitimate, benign documents during installation,” the Canadian company said in an analysis published earlier this week.
“The AllaKore RAT payload is heavily modified to allow threat actors to send stolen banking credentials and unique authentication information back to command and control (C2) servers for financial fraud purposes.”
These attacks appear to be specifically targeting large companies with total revenue in excess of $100 million. Target entities cover the retail, agriculture, public sector, manufacturing, transport, business services, capital goods and banking sectors.
The infection chain begins with a ZIP file distributed via phishing or drive-by attacks that contains an MSI installer file that drops a .NET downloader responsible for confirming the victim’s Mexican geolocation and retrieving the altered AllaKore RAT (a Delphi) is based on the first observation of RAT in 2015.
“The AllaKore RAT, while somewhat basic, has powerful capabilities for keylogging, screen capture, uploading/downloading files, and even remote control of the victim’s machine,” BlackBerry said.
Features added by the threat actors in the malware include support for bank fraud-related commands, targeting Mexican banks and cryptocurrency exchanges, launching reverse shells, extracting clipboard contents, and obtaining and executing additional payloads.
The threat actor’s connection to Latin America comes from the Mexican Starlink IP used in the campaign, as well as the addition of Spanish-language commands in the modified RAT payload. Furthermore, the bait used only applies to companies large enough to report directly to the Mexican Institute of Social Security (IMSS) department.
“This threat actor has been targeting Mexican entities for financial gain,” the company said. “This activity has been ongoing for more than two years and shows no signs of stopping.”
IOActive said it discovered three vulnerabilities (CVE-2024-0175, CVE-2024-0176 and CVE-2024-0177) in the Lamassu Douro Bitcoin ATM that could allow an attacker with physical access to completely Control Bitcoin ATM machines. devices and steal user assets.
These attacks work by exploiting the ATM’s software update mechanism and the device’s ability to read QR codes to deliver their own malicious files and trigger the execution of arbitrary code. The Swiss company resolved these issues in October 2023.
