新型AllaKore RAT恶意软件针对墨西哥企业进行攻击

Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.

墨西哥金融机构成为一场新的针对性网络钓鱼活动的目标，该活动传递了一个修改过的开源远程访问木马的版本，名为 AllaKore RAT。

The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021.

黑莓研究与情报团队将这一活动归因于一位未知的拉丁美洲金融动机威胁行为者。该活动至少自2021年以来一直在进行。

"Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process," the Canadian company said in an analysis published earlier this week.

“诱饵使用墨西哥社会保障研究所（IMSS）的命名模式，并在安装过程中链接到合法的良性文档，”这家加拿大公司在本周早些时候发表的一篇 分析 中说。

"The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud."

“AllaKore RAT 载荷经过大幅修改，以使威胁行为者能够将窃取的银行凭据和唯一的身份验证信息发送回命令与控制（C2）服务器，用于进行金融欺诈。”

The attacks appear to be designed to particularly single out large companies with gross revenues over $100 million. Targeted entities span retail, agriculture, public sector, manufacturing, transportation, commercial services, capital goods, and banking sectors.

这些攻击似乎旨在特别针对年收入超过1亿美元的大型公司。受攻击的实体涵盖零售、农业、公共部门、制造业、交通运输、商业服务、资本货物和银行等多个领域。

The infection chain begins with a ZIP file that's either distributed via phishing or a drive-by compromise, which contains an MSI installer file that drops a .NET downloader responsible for confirming the Mexican geolocation of the victim and retrieving the altered AllaKore RAT, a Delphi-based RAT first observed in 2015.

感染链以一个ZIP文件开始，该文件通过网络钓鱼或驱动器攻击进行分发，其中包含一个MSI安装程序文件，该文件会释放一个负责确认受害者的墨西哥地理位置并检索修改后的 AllaKore RAT 的.NET下载器。AllaKore RAT 是一个基于Delphi的RAT，首次观察到于2015年。

"AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim's machine," BlackBerry said.

“尽管AllaKore RAT有点基础，但它具有记录按键、屏幕截图、上传/下载文件甚至远程控制受害者计算机的强大能力。”黑莓表示。

The new functions added to the malware by the threat actor include support for commands related to banking fraud, targeting Mexican banks and crypto trading platforms, launching a reverse shell, extracting clipboard content, and fetching and executing additional payloads.

威胁行为者添加到恶意软件中的新功能包括支持与银行欺诈相关的命令，针对墨西哥银行和加密交易平台，启动反向Shell，提取剪贴板内容以及获取和执行附加的载荷。

The threat actor's links to Latin America come from the use of Mexico Starlink IPs used in the campaign, as well as the addition of Spanish-language instructions to the modified RAT payload. Furthermore, the lures employed only work for companies that are large enough to report directly to the Mexican Social Security Institute (IMSS) department.

威胁行为者与拉丁美洲的联系来自于在活动中使用的墨西哥Starlink IP地址，以及在修改后的RAT载荷中添加的西班牙语说明。此外，使用的诱饵只对直接向墨西哥社会保障研究所（IMSS）部门报告的足够大的公司有效。

"This threat actor has been persistently targeting Mexican entities for the purposes of financial gain," the company said. "This activity has continued for over two years, and shows no signs of stopping."

该公司表示：“这位威胁行为者一直在持续针对墨西哥实体进行金融获利的活动，这一活动已经持续了两年多，且没有停止的迹象。”

The findings come as IOActive said it identified three vulnerabilities in the Lamassu Douro bitcoin ATMs (CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177) that could allow an attacker with physical access to take full control of the devices and steal user assets.

这一发现是因为IOActive 表示，其识别出Lamassu Douro比特币ATM中的三个漏洞（CVE-2024-0175、CVE-2024-0176和CVE-2024-0177），这可能允许具有物理访问权限的攻击者完全控制设备并窃取用户资产。

The attacks are made possible by exploiting the ATM's software update mechanism and the device's ability to read QR codes to supply their own malicious file and trigger the execution of arbitrary code. The issues were fixed by the Swiss company in October 2023.

这些攻击是通过利用ATM软件更新机制和设备读取QR代码的能力来实现的，以提供自己的恶意文件并触发执行任意代码。这些问题在2023年10月被该瑞士公司 修复。

原文始发于微信公众号（知机安全）：新型AllaKore RAT恶意软件针对墨西哥企业进行攻击