The technology giant Blackberry, which once dominated the mobile phone market, has detected an attacker targeting numerous Mexico-based cryptocurrency exchanges and banks and has issued a warning about this issue. Blackberry’s report identified an attack attempting to steal sensitive user information from banks and crypto trade services using an open-source remote access tool called AllaKore RAT.
Details on the Blackberry Report
The threat aims to install itself on computers and databases operated by intermediary companies and usually evades suspicion by hiding behind official naming schemes and links. The report states:
“AllaKore RAT has been significantly modified to allow threat actors to send stolen banking credentials and unique authentication information back to a command and control (C2) server for financial fraud.”
The threat model shows that the attackers mainly target large companies with gross revenues over $100 million. Blackberry mentioned that such companies report directly to the Mexican Social Security Institute. Most of the attacks were traced back to Mexican Starlink IP addresses. Additionally, considering the use of Spanish instructions in the modified RAT payload, Blackberry concluded that the threat actor is based in Latin America.
Phishing Fraud and the Crypto Market
Newer versions of AllaKore RAT follow a more complex setup process, where the software is delivered to targets in a Microsoft software installer file. The software only executes after confirming the victim’s current location as Mexico.
However, the threat’s scope is not limited to major banks and crypto trade services. The same method is also used to target large Mexico-based companies from other business sectors, including retail, agriculture, public sector, manufacturing, transportation, commercial services, and capital goods.
Cyberattacks conducted through simple phishing continue to increase in success rate along with fund theft. On January 20th, hardware wallet manufacturer Trezor’s approximately 66,000 users’ contact information was leaked in a security breach. Trezor issued the following statement to warn its users:
“We want to emphasize that no user funds were put at risk due to this incident. Your Trezor device is as secure today as it was yesterday.”
