Rewterz Threat Alert –New Spear-Phishing Campaign Delivering AllaKore RAT Targets Mexican Financial Institutions – Active IOCs

Severity

High

Analysis Summary

Financial institutions in Mexico are being targeted in spear-phishing attacks in a newly discovered campaign that propagates a modified version of an open-source remote access trojan dubbed AllaKore RAT. The activity has been linked to an unknown Latin America-based threat actor, and the campaign has been active since at least 2021.

The lures used in the campaign utilize Mexican Social Security Institute (IMSS) naming schemes to link to legitimate documents during the installation. The AllaKore RAT payload is highly modified and allows the threat actors to exfiltrate stolen banking credentials and authentication information that is unique to each user to a command-and-control (C2) server to commit financial fraud.

The attackers seem to specifically target large companies with gross revenue of more than $100 million. The main industries targeted by the campaign include agriculture, retail, manufacturing, public, commercial services, transportation, capital goods, and banking sectors. The initial access is gained by using phishing or a drive-by compromise in which a ZIP file is delivered, containing an MSI installer file that drops a .NET downloader. The downloader is responsible for confirming the Mexican geolocation of the victim and fetching the AllaKore RAT malware.

AllaKore RAT is a Delphi-based RAT that was first discovered in 2015. It is a somewhat basic malware with the capability to screen capture, keylog, upload and download files, and gain remote control access to the victim’s system. Some of the new functions added to the modified version of the malware include support for commands that are related to banking frauds, launching a reverse shell, targeting Mexican banks and crypto platforms, stealing clipboard content, and retrieving additional payloads to execute them.

The reason why the researchers have attributed the threat actor to Latin America is due to the use of Mexico Starlink IPs leveraged in the campaign and also the addition of Spanish instructions to the modified AllaKore Rat payload. The lures used only work for companies that are big enough to be able to report directly to the IMSS department. The attackers have been persistently targeting Mexican entities and are financially motivated. This malicious activity has been going on for more than two years with no signs of stopping.

The development comes as three vulnerabilities were identified in the Lamassu Douru bitcoin ATMs that could allow a threat actor with physical addresses to take full control of the devices and steal crypto assets. It is made possible by exploiting the ATM’s software update mechanism and the device’s ability to read QR codes to deliver their malicious file and execute arbitrary code. A patch for these flaws was released in October 2023.

Impact

• Financial Loss
• Cryptocurrency Theft
• Sensitive Information Theft
• Unauthorized Access

Indicators of Compromise

Domain Name

• flapawer.com
• hhplaytom.com
• trapajina.com
• narujiapo.com
• isepome.com
• dulcebuelos.com

MD5

• 33cc3be935639f1e0d1d7483b8286d7c
• 32eb51c3a9c2a739e60ba6c9a73185fc
• 24a1485023dce1b6422d093dcd4bfdb8
• b16fde92c6eb3a58e228cae1b459e6b4
• 117a5e4c3370b56b638d9af3b4c23820
• 40b8c273e7f0da1fc70a6e4a3b7457c2
• 268e379815ef41c484278d95d1107aa8
• 58b732443687da9d78a35164e2a416d5
• 2a49d542949b12223e3867bc3f75c4c6
• f9a76ad6130e01eace2b696d2e643cc7
• 6338f09a4eb3265a29e22f7a94d288ce
• a7bcc8bb2a4b0ef958547bc2c3e5b7d8
• ea31d12f66025811d7fd4a383dc0dff6
• 66448930a0c71a4f51d7d0447abf1286
• 76ffe0132372b596c95ab95e92793ee5

SHA-256

• 94489764825f620e777a34161d0ce506a49eec20bc27c3d63370e493a737d50e
• 884789b63fe432938e1bb76c9976976c1905b74c2974340a60eb7ea8261d48fb
• b18e0c7c9569b33187e2beaf3318e99b50ed40c54e7dee8a26ce711bc782b150
• 4085c9829e2b18fd4721688dc25c0611f260b6e4f827b667999d9603cfe5e2d7
• 66f5b7ca8760fb017b0750441707c24eaa916d5b8aa021b3aa92082c6129ca22
• 4524d47ca7b7d71764f12807fd3722e4b890388eb2f5bf975d58c6afd0221fb3
• 8e2fc9de5da07a6cf6cfeb3349185e282cec5eed944cb66873136bd697389516
• 2f9f289224482204b0f3bb4f0af8fe99f235daea99fe435cbc53dcbb9bc22bb0
• 434ec6d3575f72e680a8bf9211b3a853d80457644ff01d7acc41657b9bfdca24
• eee76b24be7121434ec7ad1ca39792cbfec594916f8e143fad18698955ba0870
• 13d88bcf312896fae6d03d59c564bc9521e0916096098cfe41508395955aab0e
• 168ac972b7f0610f978e50b426e39938f889422b1bcfaf9cddf518e3e1ed9aa9
• 2ff3cdb886b1caf3eaad9a2467bfa16b9269b88695b76bb6a0da481458e30aa3
• 305cde85573131949fab5a3973525a886962c4f8c02558d3a215689a49f53406
• 33578228c11ad0b3d86a198a32b602aa93a91d2feeae2fb2e83f8c6595c8acd9

SHA-1

• f3daf7cbe67fb84fea0ee5922df8a32324760161
• a319f6bef0d9dba1df223a9cdd3eade0745223a4
• fe70071891987983c425760c378e1a7e18cf4cfc
• dffb5d745fd8d71c3ec102b7de5109c867bf22ea
• bd1570bb8aafc76184e6e26d6ccb792f7e23900e
• 2147682b4e2c736c2f61ee6d648c02273f11d8bc
• 429b8a555da938a2882054c0584cdbde00062b95
• 07382c25f62ab1d34d17441676b315a56ac1b040
• 315fbd4eba99f9ff022614f75d723555138bf7cd
• 2a7f6054f7aecc9969b96f6606529612f339490f
• d766c9e71a09f7ee5c2d804f4100239de76abd7d
• 80ae0951f12e444108be90aace26f7adacff4551
• 82af2c19116e5509c69b8b41510dd327104e31cd
• b6133dc6c5d0fd401643c88cb689859fe55fa592
• 046fde2fcc272177f8fb9c587e638271c935ac26

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.
• Conduct regular security awareness training for employees to educate them about the dangers of phishing attacks, social engineering, and how to identify suspicious messages or lures.
• Enforce the use of MFA for all user accounts to add an extra layer of protection against unauthorized access.
• Implement robust conditional access policies that restrict access to specific resources based on the user’s location, device, and other factors.
• Deploy advanced email and web gateway security solutions that can detect and block phishing emails and malicious websites.
• Monitor domain registrations and enforce security policies to prevent the use of unauthorized domains associated with the organization’s brand.