[Warning] AllaKore RAT Targets Mexican Banks and Cryptocurrency Platforms

[Jating]

There is a group of cyber actors that targeted Mexican banking apps and crypto trading exchange and has been active in the wild right now. Not sure why Mexico and Latin-American countries, (Lat-Am), but they are financially motivated and targeting companies, gross revenues over $100M. They uses to lure their victims with the IDSE software update document:

Code:

guia_de_soluciones_idse.pdf

and

Code:

 IMSS payment system SIPARE

The infection process initiates with a ZIP file, which is disseminated through either phishing or a drive-by compromise. Inside this ZIP file is an MSI installer that deploys a .NET downloader. This downloader is responsible for verifying the victim's geographical location in Mexico.



And once you extract and executed this files you will be instructed to:



1.- EXTRACT THE CONTENT OF THE INSTALARPLUGINSIPARE.ZIP FILE
2.- RUN THE FILE CALLED "INSTALARPLUGIN"
3.- WHEN YOU FINISH THE INSTALLATION YOU WILL BE ABLE TO LOG IN NORMALLY

It checks ipinfo[.]io for a geolocation in Mexico, if MX is not in the response string then the downloader aborts itself.



This is just a warning to our Mexican members or those who are in Latin-American. I know that there are a lot of respected members here and maybe they can share this.

https://blogs.blackberry.com/en/2024/01/mexican-banks-and-cryptocurrency-platforms-targeted-with-allakore-rat

[1714850522]

1714850522

[Yaunfitda]

I'm not Mexican, but this is scary indeed as this criminals are targeting big companies not just banks as per the report. Obviously, this groups are financially motivated and most likely they have success and that's why they continue to evolved and you might be right that they will go and target other Latin Americans with just a few modifications of the code itself. So the best weapons against this kind of attacks is to just really ignored those kind of message, specially with attachment that seems to be legitimate as it could really be one of those coming from this criminal groups.

[Bitcoin_Arena]

I don't know about IDSE software but is it like some random pop up that asks for update or the victim out of their curiosity just downloads the malware from some non-reputable source?
As usual, Microsoft/Windows seems to be the soft target for hackers.

If anyone is to deal with financial apps and money, operating systems like Linux should be top priority for them. The problem is traditional banking services don't even know what the hell Linux is, and they have no support when it comes to apps.

[lovesmayfamilis]

One can also say that many corporate networks still use Windows 7, not trying to replace them with Linux but not updating them to the latest release.
Administrators must be attentive since the e-system IDS is precisely aimed at the timely detection of intrusions.
AllaKore RAT has been causing harm for more than two years; as they say, it was previously used in India. But at this time, attacks have become more targeted, and they are looking for companies with a fairly large income level, which once again confirms the idea that it is necessary to monitor strictly what system the server is installed on and is it easy to access.

[Fiatless]

This is just a warning to our Mexican members or those who are in Latin-American. I know that there are a lot of respected members here and maybe they can share this.

Although it was reported by the article OP quoted that these attackers are mostly interested in big organisations that are worth over USD 100M, it is still a wake-up call for everyone and not just people who reside in Mexico and Latin America. Most of these attackers have a wide-range network that operates globally and they can also target individuals and smaller organisations in the future.

It is scary that such an attack has lasted for over two years now and there seems to be no ending to these attacks. Big organisations need to invest more funds in cybersecurity because attacks will cost them more losses. The only reason why these attacks are still reoccurring is because these organisations have not sought the services of renowned cybersecurity companies. Maybe they could get a good cybersecurity expert from this forum .       

[ImThour]

Seems like a pretty intelligent group of hackers. I mean if they are not able to make millions out of it, it will all be waste. For the users who are affected by this, It's pretty sad and I am sure you might be able to get some help if it was your Bank however in Crypto, once it's gone, you can never recover it. That's how it is. Once a transaction is made and it receives confirmation, it's not reversible. Stay safe!