The threat pattern suggests that attackers mainly target large companies in Mexico with over $100 million in gross revenues.

The research and intelligence arm of Blackberry, a tech giant previously dominating the cellphone market, identified and alerted about a financially motivated attacker targetting numerous high-net-worth Mexican cryptocurrency exchanges and banks. 

Blackberry’s report identified an attack that attempted to steal sensitive user information from banks and crypto trading services using an open-source remote access tool named AllaKore RAT. The threat aims to install the tool in company-run computers and databases, often bypassing employees' suspicion by hiding behind official naming schemes and links. The report added:

“The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.”

The threat pattern suggests that attackers mainly target large companies with gross revenues over $100 million. Such companies report directly to the Mexican Social Security Institute (IMSS), Blackberry noted.

Most of the attacks were traced back to Mexico Starlink IPs. Additionally, considering the use of Spanish-language instructions to the modified RAT payload, Blackberry concluded that the threat actor is based in Latin America.

The newer iterations of AllaKore RAT follow a more complex process of installation, wherein the software is delivered to the targets in a Microsoft software installer (MSI) file. The software executes only after confirming Mexico as the current location of the victim.

However, the scope of the threat is not limited to large banks and crypto trading services. The same method is being used to target large Mexican corporations from other business verticals, including retail, agriculture, public sector, manufacturing, transportation, commercial services and capital goods.

The cyber attacks conducted via basic phishing continues to increase along with its success rate in stealing funds. On Jan. 20, contact information of nearly 66,000 users of hardware wallet manufacturer Trezor were leaked in a security breach. While alerting the users, Trezor said:

“We want to stress that none of our users’ funds have been compromised through this incident. Your Trezor device remains as secure today, as it was yesterday.”

At the time of reporting, at least 41 users had received direct email messages from the attacker requesting sensitive information about their recovery seeds. Considering the myriad of data leaks across the crypto ecosystem, investors are advised to refrain from sharing sensitive information unless verified.

Source: Cointelegraph.