The activity was attributed by the BlackBerry Research and Intelligence Team to an unidentified financially motivated threat actor operating in Latin America. The campaign has been active since 2021, at least.
“Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process,” the Canadian company said in an analysis published earlier this week. “The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.”
The attacks are specifically intended to target big businesses with annual sales of more than $100 million. Retail, agriculture, the public sector, manufacturing, transportation, commercial services, capital goods, and banking are among the industries targeted.
The attack begins with a ZIP file that is either distributed through phishing emails or a drive-by compromise. This file contains an MSI installer file that launches
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.