Greedy Sponge Hacking Group
Mexican organizations continue to face cyberattacks from a financially motivated group known as Greedy Sponge, which is leveraging modified variants of AllaKore RAT and SystemBC. Active since early 2021, this campaign is indiscriminate in its choice of targets, impacting industries ranging from retail, agriculture, and entertainment to manufacturing, transportation, public services, capital goods, and banking.
Table of Contents
AllaKore RAT: A Tool for Financial Fraud
The core payload, AllaKore RAT, has been extensively altered to capture sensitive financial data. The malware is programmed to exfiltrate banking credentials and unique authentication details to a Command-and-Control (C2) server, enabling large-scale financial fraud. Reports of this campaign first surfaced in January 2024, revealing that the attackers rely on phishing and drive-by compromises to spread malicious ZIP archives designed to deploy AllaKore RAT.
Researchers have observed that AllaKore RAT is often used to deliver SystemBC, a C-based malware that converts compromised Windows machines into SOCKS5 proxies, providing the attackers with a secure communication tunnel to their C2 infrastructure.
Refined Tradecraft and Geofencing Tactics
Greedy Sponge has been evolving its tactics. By mid-2024, the group introduced enhanced geofencing techniques aimed at thwarting external analysis. Previously, geofencing checks were embedded in a .NET downloader within a trojanized Microsoft installer (MSI) file. Now, the restriction has been moved to the server-side, ensuring that only victims within the targeted Mexican region receive the final payload.
Current Attack Chain and Payload Delivery
The latest attack sequences remain consistent with earlier campaigns. Malicious ZIP files, such as 'Actualiza_Policy_v01.zip,' contain both a legitimate Chrome proxy executable and a trojanized MSI installer. This MSI is engineered to drop AllaKore RAT, which includes capabilities such as:
- Keylogging, screenshot capture, and remote control of infected systems
- Uploading and downloading files to and from the attacker's infrastructure
To facilitate the infection, the MSI also deploys a .NET downloader, which fetches the RAT from an external server (manzisuape.com/amw), along with a PowerShell script designed to perform cleanup operations.
Regional Targeting Beyond Mexico
While Mexico remains the primary target, AllaKore RAT variants have also been used across Latin America. Notably, in May 2024, a variant known as AllaSenha (aka CarnavalHeist) was observed targeting Brazilian banking institutions, operated by threat actors native to Brazil.
Greedy Sponge: Persistent but Not Sophisticated
Despite its operational persistence over four years, experts classify Greedy Sponge as effective yet not highly advanced. The group's narrow geographic focus and exclusive pursuit of financial gain distinguish it from more sophisticated adversaries. Their unchanged infrastructure models and long-term success indicate that their current approach has been consistently effective, reducing the need for significant operational shifts.
