BlackBerry, the former mobile phone market leader, through its research and intelligence arm, has identified and raised a red flag regarding a financially motivated cyber attacker targeting several high-net-worth cryptocurrency exchanges and banks in Mexico. The assailant aims to pilfer sensitive user data from these financial entities using the AllaKore RAT (Remote Access Tool), an open-source tool capable of surreptitiously installing itself on company-operated computers and databases. The attackers cleverly conceal their activities by adopting official naming schemes and links to avoid arousing employee suspicion.
BlackBerry's report indicates that the AllaKore RAT payload has undergone extensive modifications, facilitating the transmission of pilfered banking credentials and unique authentication details back to command and control (C2) servers for potential financial fraud. Notably, these cyber threats are primarily directed at large companies with total revenues exceeding $100 million, many of which report directly to the Mexican Institute of Social Security (IMSS). The majority of the attacks were traced back to Mexican Starlink IP addresses, suggesting a localized threat, and the use of Spanish-language instructions in the RAT payload indicates a likely origin from Latin America.
In more recent iterations, AllaKore RAT has adopted a more intricate installation process, where the software is delivered in the guise of a Microsoft software installer file. The execution of the software is contingent upon confirming Mexico as the victim's current location. However, the threat landscape extends beyond large banks and cryptocurrency exchanges, encompassing other industry verticals in Mexico, such as retail, agriculture, public sector, manufacturing, transportation, business services, and capital goods. Cybersecurity experts emphasize that basic phishing attacks are witnessing increased success rates in extracting funds.
In a related incident, the security breach of hardware wallet manufacturer Trezor on January 20 led to the exposure of contact information for nearly 66,000 users. However, Trezor reassured users that their funds remained secure, and the incident did not compromise the integrity of their Trezor devices. Despite the rising number of data breaches within the cryptocurrency ecosystem, investors are advised to exercise caution and refrain from sharing sensitive information without proper verification.
