Blackberry’s research and intelligence division warned about a financially motivated cyberattack targeting high-net-worth Mexican cryptocurrency exchanges, banks, and large companies with over $100 million in gross revenues.
The attackers have been traced back to Mexico and are believed to be based in Latin America.
Sophisticated attack methodology
Blackberry’s report highlights the use of an open-source remote access tool called AllaKore RAT by the threat actors. This tool is heavily modified to enable the theft of sensitive user information, including banking credentials and unique authentication data.
The stolen information is transmitted to a command-and-control (C2) server, facilitating financial fraud.
One of the notable characteristics of this cyberattack is its method of infiltration. The attackers aim to install the AllaKore RAT in company-run computers and databases, often concealing their actions behind official naming schemes and links.
This method has allowed them to bypass employees’ suspicion, making it a challenging threat to detect.
The scope of this cyber threat extends beyond the financial sector. While cryptocurrency exchanges and banks have been the primary targets, large Mexican corporations from various business verticals have also fallen victim to these attacks.
These sectors include retail, agriculture, public sector, manufacturing, transportation, commercial services, and capital goods.
Mexican large companies on the radar
The attackers prefer large companies with gross revenues exceeding $100 million. Such companies report directly to the Mexican Social Security Institute (IMSS), making them attractive targets.
The cybercriminals have been observed using Mexico Starlink IP addresses, further confirming their focus on Mexican entities.
As the attackers refine their tactics, newer iterations of the AllaKore RAT employ a more complex installation process. The malware is delivered to the target organizations within a Microsoft software installer file.
The malware executes only after confirming that the victim is located in Mexico, indicating a high degree of sophistication in their approach.
Latin American connection
Spanish-language instructions within the modified RAT payload suggest that the threat actor responsible for these attacks is based in Latin America. This regional connection adds more complexity to the investigation and underscores the need for international cooperation in addressing this cyber threat.
Given the evolving nature of this cyber threat, it is crucial for organizations, especially those in the targeted sectors, to take proactive measures to protect their systems and data.
These measures may include enhancing cybersecurity protocols, implementing robust intrusion detection systems, and providing cybersecurity training to employees to help them recognize potential threats.
Addressing this cyber threat requires collaborative efforts from both private and public sectors. Companies affected by these attacks should work closely with law enforcement agencies and cybersecurity experts to investigate and mitigate the damage.
Additionally, sharing threat intelligence and best practices within the business community can help fortify defenses against future attacks.