Mexican financial institutions are at the centre of a new campaign spear-phishing providing a modified version an open source remote access trojan known as AllaKore RAT.
Η attack, motivated by economics, is attributed to an anonymous threat actor in Latin America, active from 2021. The attacks target large companies in various sectors, including retail and banking, that have revenues of more than $100 million.
Read more: WhiteSnake Stealer Malware is being transferred to Windows computers
The infection starts with a ZIP file containing an MSI installation, with AllaKore RAT customized for bank credential theft. Despite its simplicity, AllaKore RAT is able to capture the keyboard and screen, upload and download files, as well as gain remote control. Enhanced features include support for bank fraud, attacking Mexican banks, extracting content from the clipboard and retrieving additional data.
The reported threat stems from the use of Starlink IP addresses in Mexico, which are linked to a campaign targeting Mexican entities. The links include instructions in Spanish to a modified RAT malicious payload. These tools are used exclusively by large companies linked to the Mexican Social Security Institute (IMSS). The threat is for financial gain and has been ongoing for more than two years. In addition, three vulnerabilities were detected in Bitcoin ATMs that allow full control and theft of users' personal assets.
See more: Chameleon banking trojan: New variant bypasses biometric checks
The attacks take advantage of the function of the mechanism updating the software and the ability to read QR codes. However, these problems were addressed in October 2023 by a company in Switzerland.
Source: thehackernews.com
