On January 24, 2024, BlackBerry reported a newly discovered campaign targeting Mexican financial institutions and cryptocurrency exchanges with a malspam campaign delivering a heavily customized version of the open-source trojan AllaKoreRAT.
Based on telemetry, BlackBerry assessed the unidentified threat actor to operate from the Latin America region. The malspam campaign presents lures consistent with SIPARE, the payment system of the Mexican Social Security Institute, and a Mexican government's Instituto Mexicano del Seguro Social software update.
The vector is a RAR archive containing a Microsoft installer file. The latter is responsible for downloading and executing a .NET downloader ("ADV.exe") which retrieves the victim's IP to validate whether the target is in Mexico. AllaKoreRAT is downloaded as the final stage malware only if the victim is based in Mexico. This trait is particularly relevant as it is consistent with a targeted campaign. Additionally, the actor made efforts to conceal this reconnaissance; ADV.exe is downloaded alongside PowerShell scripts whose role is to erase evidence of the ADV.exe action.
Based on the list of command-and-control (C2) domain names provided by BlackBerry, the campaign has been planned since last Spring; registration details for the domains date back to April 2023.