January 27, 2024 at 02:48AM
A spear-phishing campaign targeting Mexican financial institutions has been attributed to an unknown Latin American-based threat actor. The campaign, active since 2021, uses AllaKore RAT to steal banking credentials and authentication information for financial fraud. Large companies with revenues over $100 million are particularly targeted. Additional details include modifications to the malware for banking fraud and vulnerabilities in Lamassu Douro bitcoin ATMs.
The meeting notes provide a detailed overview of a spear-phishing campaign targeting Mexican financial institutions using a modified version of the AllaKore RAT. The campaign, attributed to an unknown Latin American-based financially motivated threat actor, has been active since at least 2021 and targets large companies with gross revenues over $100 million across various sectors. The infection chain starts with a ZIP file distributed via phishing or a drive-by compromise, which contains an MSI installer file that drops a .NET downloader and retrieves the altered AllaKore RAT. The threat actor’s links to Latin America are evidenced by the use of Mexico Starlink IPs and the addition of Spanish-language instructions to the modified RAT payload. Additionally, the report highlights vulnerabilities in Lamassu Douro bitcoin ATMs that could allow an attacker to take control of the devices and steal user assets by exploiting the software update mechanism and the device’s ability to read QR codes. These issues were addressed by the Swiss company in October 2023.