Blackberry’s research and intelligence branch has identified a threat actor targeting Mexican cryptocurrency exchanges and banks. The attacker uses an open-source remote access tool, AllaKore RAT, to steal sensitive user information from banks and crypto trading services.
The threat involves installing malware on company-operated computers and databases, often hiding behind official naming schemes and links to evade employee suspicion. AllaKore RAT has been significantly modified to allow threat actors to send stolen banking credentials and unique authentication information back to a command and control (C2) server for financial fraud.
The threat model indicates that attackers primarily target large companies with over $100 million in gross revenue, which report directly to the Mexican Social Security Institute. Most attacks have been traced back to Mexican Starlink IP addresses, and the use of Spanish instructions in the modified RAT suggests the threat actor is based in Latin America.
Newer versions of AllaKore RAT follow a more complex setup process, delivering the software in a Microsoft installer file, which only activates after confirming the victim’s location as Mexico. However, the threat is not limited to major banks and crypto services but also targets large Mexican companies in various sectors, including retail, agriculture, public sector, manufacturing, transportation, commercial services, and capital goods.
The phishing-based cyberattacks continue to rise in success rate and scope, not only affecting financial institutions but also other industries. A recent security breach at hardware wallet manufacturer Trezor led to the leak of about 66,000 users’ contact details on January 20. Trezor assured users that no funds were at risk, emphasizing the security of their devices.