Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.
The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin America-based financially motivated threat actor. The campaign has been active since at least 2021.
"Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process," the Canadian company said in an analysis published earlier this week.
"The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud."
The attacks appear to be designed to particularly single out large companies with gross revenues over $100 million. Targeted entities span retail, agriculture, public sector, manufacturing, transportation, commercial services, capital goods, and banking sectors.
The infection chain begins with a ZIP file that's either distributed via phishing or a drive-by compromise, which contains an MSI installer file that drops a .NET downloader responsible for confirming the Mexican geolocation of the victim and retrieving the altered AllaKore RAT, a Delphi-based RAT first observed in 2015.
"AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim's machine," BlackBerry said.
The new functions added to the malware by the threat actor include support for commands related to banking fraud, targeting Mexican banks and crypto trading platforms, launching a reverse shell, extracting clipboard content, and fetching and executing additional payloads.
The threat actor's links to Latin America come from the use of Mexico Starlink IPs used in the campaign, as well as the addition of Spanish-language instructions to the modified RAT payload. Furthermore, the lures employed only work for companies that are large enough to report directly to the Mexican Social Security Institute (IMSS) department.
"This threat actor has been persistently targeting Mexican entities for the purposes of financial gain," the company said. "This activity has continued for over two years, and shows no signs of stopping."
The findings come as IOActive said it identified three vulnerabilities in the Lamassu Douro bitcoin ATMs (CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177) that could allow an attacker with physical access to take full control of the devices and steal user assets.
The attacks are made possible by exploiting the ATM's software update mechanism and the device's ability to read QR codes to supply their own malicious file and trigger the execution of arbitrary code. The issues were fixed by the Swiss company in October 2023.