- Blackberry’s research division detected a financially motivated attacker targeting high-net-worth Mexican banks and cryptocurrency exchanges, with an anticipated theft exceeding $100 million.
- The attackers are based in Latin America, using the AllaKore RAT to compromise confidential data from banks and crypto exchanges.
A financially motivated attacker was detected and warned about by the research and intelligence division of Blackberry, a tech behemoth that once dominated the mobile industry. The attacker was targeting many high-net-worth Mexican banks and cryptocurrency exchanges. Attackers may aim to steal more than $100 million in gross revenue, a stat predicted by the threat pattern.
Who are the targets?
The targeting, according to Blackberry’s analysis, was unaffected by the industry, and the attackers were primarily interested in major businesses – many of which had annual gross revenues of over $100 million. Blackberry further tracked the companies that the attackers targeted in the retail, agriculture, manufacturing, transportation, public sector, commercial services, capital goods, and banking sectors. Every lure has made use of reputable and safe Mexican government resources, such as the payment mechanism operated by the Social Security Institute in Mexico.
Blackberry discovered that an open-source remote access tool called AllaKore RAT was being used to steal confidential user data from banks and cryptocurrency trading firms. By hiding behind legitimate naming schemes and linkages, the danger frequently bypasses employees’ suspicions by installing the program in company-run systems and databases.
The majority of the assaults were traced back to IP addresses owned by Mexico Starlink. Blackberry also came to the conclusion that the threat actor is headquartered in Latin America due to the changed RAT payload’s usage of instructions written in Spanish.
This threat actor has been targeting Mexican companies since at least late 2021. A Mexico-focused threat actor known as FIN13 was the subject of an investigation report published in December 2021 by the American cybersecurity company Mandiant. According to the research, only two threat actors targeted a single nation over an extended period of time. Out of the organizations mentioned, just 14 remain financially motivated after more than a year. This threat actor stands out by specifically focusing on particular regions and demonstrating persistence in its actions.
Also read: How to enhance cybersecurity after the Australian State Court database breach?
What is AllaKore RAT?
AllaKore RAT is a simple, open-source remote access tool. It was initially noticed in 2015, and in May 2023, the threat group SideCopy employed it to penetrate companies in a particular region. AllaKore is incredibly powerful; it can upload and download files, keylog, grab screen captures, and even take remote control of the victim’s computer.
The installation procedure for the most recent versions of AllaKore RAT is more involved; the program is sent to the targets in the form of a Microsoft software installer file. The malware doesn’t start working until it has verified that the victim is in Mexico.
Blackberry’s report explained: “The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a commond-and-control (C2) server for the purposes of financial fraud. ”
Also read: The cybersecurity risks of smart devices: A comprehensive guide