Mexican financial institutions are currently being targeted by a sophisticated spear-phishing campaign that deploys a modified variant of the open-source remote access trojan known as AllaKore RAT. This attack has been attributed to an unidentified financially motivated actor based in Latin America, with the campaign having been operational since at least 2021.
According to analysis from the BlackBerry Research and Intelligence Team, the phishing attempts are utilizing familiar naming conventions associated with the Mexican Social Security Institute (IMSS) and link to seemingly legitimate documents during the malware installation process. This tactic aims to enhance the credibility of the malicious payload.
The modified AllaKore RAT payload is intricately designed to facilitate the exfiltration of sensitive banking credentials and authentication details back to a command-and-control (C2) server, an action which could result in significant financial fraud. Notably, the malware is also capable of conducting various operations, including keylogging, screen capture, and remote control of the infected machine.
The primary targets of this campaign appear to be large enterprises with annual revenues exceeding $100 million. Affected sectors include retail, agriculture, public services, manufacturing, transportation, commercial services, capital goods, and finance. The infection process typically begins with a ZIP file disseminated via phishing emails or drive-by downloads, housing an MSI installer that initiates a .NET downloader tailored to ascertain the victim’s geolocation within Mexico before retrieving the altered AllaKore RAT.
BlackBerry emphasized that while AllaKore RAT is not excessively complex, the threat actor has enhanced its functionality to include commands associated with financial fraud targeting both Mexican banks and cryptocurrency exchanges. The actor’s reliance on Mexican Starlink IPs and the implementation of Spanish-language instructions within the malware further support a regional attack strategy, explicitly aimed at companies required to report to the IMSS.
This campaign exemplifies several adversarial tactics outlined in the MITRE ATT&CK framework. Key actions likely include initial access through phishing, as well as persistence through the deployment of malicious payloads. The ability to escalate privileges and maintain control over compromised systems reflects a broader objective focused on financial exploitation.
BlackBerry warns that this threat actor remains persistent in their targeting of Mexican entities for ongoing financial gain. The analysis indicates no immediate signs of cessation in these activities, suggesting an alarming trend of sustained cybercriminal targeting in the region.
In related concerns regarding cybersecurity, it has come to light that vulnerabilities in Lamassu Douro bitcoin ATMs could enable attackers with physical access to take complete control over the machines, potentially leading to the theft of user assets. The identified vulnerabilities were reportedly patched in October 2023.
