AllaKore RAT

A spear-phishing campaign is targeting Mexican financial institutions, employing a modified variant of the AllaKore RAT, an open-source Remote Access Trojan. The campaign is linked to an unidentified financially motivated threat actor based in Latin America. This threatening activity has been ongoing since at least 2021. The phishing tactics involve utilizing naming conventions associated with the Mexican Social Security Institute (IMSS) and providing links to seemingly legitimate documents during the installation phase. The AllaKore RAT payload used in the attack operation has undergone substantial modifications, enabling threat actors to transmit pilfered banking credentials and unique authentication details to a Command-and-Control (C2) server, facilitating financial fraud.

Cybercriminals Target Large Corporations with the AllaKore RAT

The attacks seem to specifically focus on large corporations with annual revenues exceeding $100 million. The targeted entities span various sectors, including retail, agriculture, public sector, manufacturing, transportation, commercial services, capital goods and banking.

The infection occurs with a ZIP file distributed through phishing or a drive-by compromise. This ZIP file contains an MSI installer responsible for deploying a .NET downloader. The downloader's primary tasks include confirming the victim's Mexican geolocation and fetching the modified AllaKore RAT. The AllaKore RAT, initially identified in 2015 as a Delphi-based RAT, may appear somewhat basic but possesses potent capabilities such as keylogging, screen capturing, file upload/download, and even remote control of the affected system.

The AllaKore RAT Has been Equipped with Additional Threatening Features

The threat actor has enhanced the malware with new functionalities primarily focused on banking fraud, specifically targeting Mexican banks and crypto trading platforms. The added features include the ability to initiate commands for launching a reverse shell, extracting clipboard content, and fetching, as well as executing additional payloads.

The threat actor's connection to Latin America is evident through the utilization of Mexico Starlink IPs in the campaign. Additionally, the modified RAT payload includes Spanish-language instructions. Notably, the phishing lures are tailored to companies of significant size that directly report to the Mexican Social Security Institute (IMSS) department.

This persistent threat actor has been consistently directing its efforts toward Mexican entities with the intention of financial exploitation. The harmful activity has endured for more than two years, displaying no indications of cessation.

RAT Threats may Lead to Severe Consequences for Victims

Remote Access Trojans (RATs) pose significant dangers as they provide unauthorized access and control over a victim's computer or network to malicious actors. Here are some key dangers associated with RAT threats:

• Unauthorized Access and Control: RATs allow attackers to gain remote control of a compromised system. This level of access enables them to execute commands, manipulate files, install and uninstall software, and essentially control the victim's computer as if they were physically present.
•  Data Theft and Espionage: RATs are commonly utilized to collect private information, such as login credentials, financial data, personal information and intellectual property. Attackers can silently monitor user activities, capture keystrokes, and access files, leading to potential data breaches and corporate espionage.
•  Surveillance and Privacy Invasion: Once a RAT is deployed, attackers can activate the victim's webcam and microphone without their knowledge, leading to unauthorized surveillance. This breach of privacy can have meaningful consequences for individuals and organizations.
•  Propagation and Lateral Movement: RATs often have the ability to self-replicate and spread within a network, allowing attackers to move laterally through an organization's infrastructure. This can result in the compromise of multiple systems and the escalation of the overall security threat.
•  Financial Loss and Fraud: RATs with capabilities for banking fraud can target financial institutions and users, leading to unauthorized transactions, fund theft, and other financial losses. Crypto trading platforms are also vulnerable targets for attackers seeking financial gains.
•  Disruption of Services: Attackers may use RATs to disrupt services by modifying or deleting critical files, altering system configurations, or launching denial-of-service attacks. This can lead to downtime, financial losses, and damage to an organization's reputation.
•  Persistence and Difficulty of Detection: RATs are designed to maintain persistence on compromised systems, making them challenging to detect and remove. They may use various evasion techniques to bypass security measures, making it difficult for traditional antivirus solutions to identify and mitigate the threat.
•  Geopolitical and Corporate Espionage: State-sponsored actors and corporate espionage groups may use RATs for strategic purposes to obtain access to sensitive information, intellectual property, or classified data. This can have far-reaching results for national security and the affected organizations.

To mitigate the risks associated with RAT threats, organizations and individuals should employ robust cybersecurity measures, including regular security audits, network monitoring, endpoint protection, and user awareness training to recognize and avoid phishing attacks.