Mexican financial institutions are under the radar of a new spear phishing campaign that delivers a modified version of an open-source remote access Trojan called AllaKore RAT.
The BlackBerry Research and Intelligence Team attributed the activity to an unknown threat actor based in Latin America and financially motivated. The campaign has been active since at least 2021.
“The decoys use Mexican Institute of Social Security (IMSS) naming schemes and links to legitimate, benign documents during the installation process,” the Canadian company said in an analysis published earlier this week.
“The AllaKore RAT payload is heavily modified to allow threat actors to send stolen banking credentials and unique authentication information to a command and control (C2) server for the purposes of financial fraud.”
The attacks appear to be designed to specifically target large companies with gross revenues exceeding $100 million. The targeted entities range from retail, agriculture, public sector, manufacturing, transportation, business services, capital goods and banking sectors.
The infection chain begins with a ZIP file distributed via phishing or drive-by compromise, which contains an MSI installation file that releases a .NET downloader responsible for confirming the victim’s Mexican geolocation and recovering the altered AllaKore RAT, a Delphi RAT first observed in 2015.
“AllaKore RAT, while somewhat basic, has the powerful ability to keylog, capture screenshots, upload/download files, and even remotely take control of the victim’s computer,” BlackBerry said.
New features added to the malware by the threat actor include support for commands related to bank fraud, targeting Mexican banks and cryptocurrency trading platforms, launching a reverse shell, extracting clipboard contents, and recovery and execution of additional payloads.
The threat actor’s connections to Latin America stem from the use of Mexican Starlink IPs used in the campaign, as well as the addition of Spanish-language instructions to the modified RAT payload. Furthermore, the baits used only work for companies large enough to report directly to the Mexican Institute of Social Security (IMSS) department.
“This threat actor has consistently targeted Mexican entities for financial gain,” the company said. “This activity has been going on for over two years and shows no signs of stopping.”
The findings come as IOActive said it had identified three vulnerabilities in Lamassu Douro’s bitcoin ATMs (CVE-2024-0175, CVE-2024-0176 and CVE-2024-0177) that could allow an attacker with physical access to take over full control of devices and steal user resources.
The attacks are made possible by exploiting the ATM’s software update mechanism and the device’s ability to read QR codes to deliver its own malicious file and trigger arbitrary code execution. The problems were resolved by the Swiss company in October 2023.