RAT Malware Targeting Mexican Firms with Financial Fraud Tricks

Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.

The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021.

“Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process,” the Canadian company said in an analysis published earlier this week.

“The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.”

It seems that the attacks are specifically intended to target big businesses with annual sales of more than $100 million. Retail, agriculture, the public sector, manufacturing, transportation, commercial services, capital goods, and banking are among the industries targeted.

The first step in the infection chain is the distribution of a ZIP file through phishing or drive-by compromise. This file contains an MSI installer file that launches a.NET downloader, which verifies the victim’s geolocation in Mexico and retrieves the modified AllaKore RAT, a Delphi-based RAT that was first discovered in 2015.

“AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim’s machine,” BlackBerry stated.

The threat actor has added new features to the malware, such as support for banking fraud-related commands, targeting cryptocurrency trading platforms and banks in Mexico, initiating a reverse shell, extracting content from the clipboard, and fetching and executing additional payloads.

The campaign’s use of Mexico Starlink IPs and the addition of Spanish-language instructions to the modified RAT payload provide the threat actor with links to Latin America. Moreover, the lures used are only effective for businesses big enough to submit reports directly to the department of the Mexican Social Security Institute (IMSS).

“This threat actor has been persistently targeting Mexican entities for the purposes of financial gain,” the business stated. “This activity has continued for over two years, and shows no signs of stopping.”

The results coincide with the announcement from IOActive that it has discovered three vulnerabilities (CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177) in the Lamassu Douro bitcoin ATMs that could provide physical access to an attacker the ability to take complete control of the machines and steal user data.

The ATM’s software update mechanism and its capacity to scan QR codes are exploited by the attackers to supply their own malicious file and start the execution of arbitrary code, thereby enabling the attacks. In October 2023, the Swiss company resolved the issues.