Mexican financial institutions are facing a new wave of cyber threats as an unknown Latin America-based financially motivated threat actor launches a spear-phishing campaign utilizing a modified version of the AllaKore RAT (Remote Access Trojan). The researcher have been tracking this campaign since at least 2021, identifying specific tactics aimed at large companies with gross revenues exceeding $100 million across various sectors, including retail, agriculture, public sector, manufacturing, transportation, commercial services, capital goods, and banking.
The modus operandi involves the use of lures employing Mexican Social Security Institute (IMSS) naming schemes, along with links to seemingly legitimate documents during the installation process. The heavily modified AllaKore RAT payload facilitates the theft of banking credentials and unique authentication information, which is then transmitted to a command-and-control (C2) server for financial fraud purposes.
The infection chain initiates with a ZIP file, distributed either through phishing or drive-by compromise. This ZIP file contains an MSI installer file that deploys a .NET downloader, responsible for confirming the Mexican geolocation of the victim and fetching the altered AllaKore RAT. Originating in 2015 as a Delphi-based RAT, AllaKore RAT, despite its somewhat basic nature, possesses capabilities such as keylogging, screen capturing, file uploading/downloading, and remote control of the victim’s machine.
The threat actor has incorporated new functionalities into the malware, specifically tailored for banking fraud. These include support for commands targeting Mexican banks and crypto trading platforms, launching a reverse shell, extracting clipboard content, and executing additional payloads.
The connection to Latin America is reinforced by the use of Mexico Starlink IPs and the inclusion of Spanish-language instructions in the modified RAT payload. Additionally, the lures are designed to be effective only for companies that report directly to the Mexican Social Security Institute (IMSS) department. The researcer noted that this threat actor has persistently targeted Mexican entities for financial gains, with the campaign spanning over two years and showing no signs of abating.
In a related development, IOActive identified vulnerabilities in Lamassu Douro bitcoin ATMs, posing risks of full device control and user asset theft. The vulnerabilities (CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177) were fixed by the Swiss company in October 2023, highlighting the ongoing challenges in securing financial technologies against evolving cyber threats.
Protecting financial institutions from AllaKore RAT malware demands a proactive cybersecurity strategy. Implementing robust email filtering and user education programs can fortify defenses against spear-phishing attempts. Regularly conducting security audits and vulnerability assessments helps identify and patch weaknesses in the network infrastructure. Additionally, maintaining up-to-date threat intelligence and collaborating with industry peers enhance the ability to anticipate and counter emerging threats in the financial sector.