There is a group of cyber actors that targeted Mexican banking apps and crypto trading exchange and has been active in the wild right now. Not sure why Mexico and Latin-American countries, (Lat-Am), but they are financially motivated and targeting companies, gross revenues over $100M. They uses to lure their victims with the IDSE software update document:
guia_de_soluciones_idse.pdf
and
IMSS payment system SIPARE
The infection process initiates with a ZIP file, which is disseminated through either phishing or a drive-by compromise. Inside this ZIP file is an MSI installer that deploys a .NET downloader. This downloader is responsible for verifying the victim's geographical location in Mexico.
![](https://ip.bitcointalk.org/?u=https%3A%2F%2Fwww.talkimg.com%2Fimages%2F2024%2F01%2F30%2Fk751d.png&t=663&c=KdtbZwAtyRisaw)
And once you extract and executed this files you will be instructed to:
![](https://ip.bitcointalk.org/?u=https%3A%2F%2Fwww.talkimg.com%2Fimages%2F2024%2F01%2F30%2Fk77W5.png&t=663&c=RouDhf5ZseRHiw)
1.- EXTRACT THE CONTENT OF THE INSTALARPLUGINSIPARE.ZIP FILE
2.- RUN THE FILE CALLED "INSTALARPLUGIN"
3.- WHEN YOU FINISH THE INSTALLATION YOU WILL BE ABLE TO LOG IN NORMALLY
It checks ipinfo[.]io for a geolocation in Mexico, if MX is not in the response string then the downloader aborts itself.
![](https://ip.bitcointalk.org/?u=https%3A%2F%2Fwww.talkimg.com%2Fimages%2F2024%2F01%2F30%2Fk7BQz.png&t=663&c=s-Odl2Xc1n7ptg)
This is just a warning to our Mexican members or those who are in Latin-American. I know that there are a lot of respected members here and maybe they can share this.
https://blogs.blackberry.com/en/2024/01/mexican-banks-and-cryptocurrency-platforms-targeted-with-allakore-rat