There is a group of cyber actors that targeted Mexican banking apps and crypto trading exchange and has been active in the wild right now. Not sure why Mexico and Latin-American countries, (Lat-Am), but they are financially motivated and targeting companies, gross revenues over $100M. They uses to lure their victims with the IDSE software update document:
guia_de_soluciones_idse.pdf
and
IMSS payment system SIPARE
The infection process initiates with a ZIP file, which is disseminated through either phishing or a drive-by compromise. Inside this ZIP file is an MSI installer that deploys a .NET downloader. This downloader is responsible for verifying the victim's geographical location in Mexico.
And once you extract and executed this files you will be instructed to:
1.- EXTRACT THE CONTENT OF THE INSTALARPLUGINSIPARE.ZIP FILE
2.- RUN THE FILE CALLED "INSTALARPLUGIN"
3.- WHEN YOU FINISH THE INSTALLATION YOU WILL BE ABLE TO LOG IN NORMALLY
It checks ipinfo[.]io for a geolocation in Mexico, if MX is not in the response string then the downloader aborts itself.
This is just a warning to our Mexican members or those who are in Latin-American. I know that there are a lot of respected members here and maybe they can share this.
https://blogs.blackberry.com/en/2024/01/mexican-banks-and-cryptocurrency-platforms-targeted-with-allakore-rat