Mexican financial institutions are suffering attacks by a new spear-phishing campaign, spreading a modified version of an open-source remote access trojan named 'AllaKore RAT'.
The activity was attributed by the BlackBerry Research and Intelligence Team to an unidentified financially motivated threat actor operating in Latin America.
The attacks are specifically intended to target big businesses with annual sales of more than $100 million.
The attack begins with a ZIP file that is either distributed through phishing emails or a drive-by compromise.
This file contains an MSI installer file that launches a.NET downloader, which verifies the victim's geolocation in Mexico and retrieves the modified AllaKore RAT, a Delphi-based RAT that was first discovered in 2015.
An additional feature added to the malware comprises support for commands from the threat actors regarding banking frauds, targeting banks and crypto trading platforms, launching a reverse shell, extracting clipboard content, and fetching and executing additional payloads.
The campaign's use of Mexico Starlink IPs and the insertion of Spanish-language instructions to the modified RAT payload provide the threat actor with ties to Latin America.
The lures used are only effective for businesses big enough to submit reports directly to the Department of the Mexican Social Security Institute.
This research comes with a report by IOActive, revealing it has discovered three vulnerabilities in the Lamassu Douro bitcoin ATMs that might provide physical access to an attacker the ability to take complete control of the machines and steal user data.
This Cyber News was published on www.cysecurity.news. Publication date: Sun, 28 Jan 2024 16:58:04 +0000