BlackBerry Warns Mexican Bank and Crypto Firms on Potential Security Threat

BlackBerry has flagged a potential threat to Mexican banks and cryptocurrency platforms based on hackers’ attempt to deliver a modern version of Allakore RAT.

In a Jan 24 report, BlackBerry’s Research and Intelligence Team raised concerns about a threat actor targeting financial institutions with Allakore RAT modified to allow hackers send stolen banking details and other key components to the command center for cyber theft.

According to the report, the bad actors are looking for large firms with revenues above $100 million because lures flagged by the research team were sent to firms that report directly to the Mercian Social Security Institute (IMSS).

The reason for targeting large companies directly under the MSSI is first the financial incentives as these companies are worth more and secondly, the lures deployed use the IMSS links and naming schemas to make legitimate, benign documents during the process.

“The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.”

Scammers based in Latin America

The team also narrowed the bad actors that posed the threat of being based in Latin American countries because of the use of the Spanish language conveying instructions in the modified payload.

The large number of Mexican Starlink IPs alongside the timeframe in the process also backs up their research team’s claims of bad actors based in the Latin American region.

“This threat actor is specifically targeting Mexican entities, especially large companies with gross revenues over $100M US. All lures have utilized legitimate and benign Mexican government resources, such as the IDSE software update document “guia_de_soluciones_idse.pdf” and the IMSS payment system SIPARE,” the report reads.

Per the report, targeting is wide and not only at financial services as details were released on firms in Manufacturing, Agriculture, Capital Goods, Banking, Commercial Services, Retail, Transportation, and the Public Sector.

However, naming functions in the RAT point to a Mexican cryptocurrency broker and six banks domiciled in the country as the .NET loader specifies the geolocation with multiple services before deploying RAT.

Links with a similar bad actor

Before BlackBerry’s release, the same bad actors had targeted firms as early as December 2021 as reported by Mandiant on a cyber security threat focused on Mexico.

Analysts at the firm suggest that the bad actors in these scenarios are similar because only two financial actors limit their victims to a single country for years and the tracking of 14 firms occurred over 12 months.

Users have lamented the rate at which threat actors target cryptocurrency firms in an attempt to wipe out millions from projects.

This week, scammers sent out malicious phishing links targeted at several web3 firms advertising fake airdrops to users draining $3.3 million in assets.