Mexican Banks and Cryptocurrency Platforms Targeted With AllaKore RAT

Summary

A financially motivated threat actor is targeting Mexican banks and cryptocurrency trading entities with custom packaged installers delivering a modified version of AllaKore RAT – an open-source remote access tool.

Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process. The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.

The targeting we observed was indifferent to industry; the attackers appear to be most interested in large companies, many with gross revenues over $100M USD. We know this because the lures sent out by the threat actors only work for companies that are large enough to be reporting directly to the Mexican government’s IMSS department.

Based on the large number of Mexico Starlink IPs used in the campaign and the long timeframe of these connections, plus the addition of Spanish-language instructions to the modified RAT payload, we believe that the threat actor is based in Latin America.
 

Brief MITRE ATT&CK® Information

TacticTechnique
Initial AccessT1189
ExecutionT1204.001, T1059.001
Defense EvasionT1218.007, T1480, T1070.004, T1140
Command and ControlT1105, T1071.001, T1219
Credential AccessT1056.001
CollectionT1056.001, T1113
ExfiltrationT1041


Weaponization and Technical Overview

WeaponsMalicious MSI installer, .NET downloader, customized AllaKore RAT
Attack VectorSpear-phishing; Drive-by
Network InfrastructureStatically hosted C2
TargetsRetail, Agriculture, Public Sector, Manufacturing, Transportation, Commercial Services, Capital Goods, and Banking


Technical Analysis

Context

A long running campaign targeting Mexican entities with large revenues ($1 million USD and above) was discovered by BlackBerry cyber threat intelligence (CTI) analysts. This campaign has been using consistently detectable C2 infrastructure since 2021 and has yet to be disrupted.

Attack Vector

Samples from the middle of 2022 and before, such as 942865d0c76b71a075b21525bd32a1ceca830071e5c61123664bd332c7a8de2a, were packaged as RAR files containing the AllaKore sample itself. RAR is a proprietary archive file format that supports data compression, error correction and file spanning.

Newer samples have a more complicated installation structure that delivers the downloader, compressed in an MSI file, which is a Microsoft software installer. The downloader first verifies that the target is located in Mexico, verified via network IP location services, before downloading the customized AllaKore RAT.

Installer files are structured like malspam attachments and have the following execution path:

Figure 1: RAT delivery process

What is AllaKore RAT?

AllaKore RAT is a simple, open-source remote access tool written in Delphi. It was first observed in 2015, and was most recently used by the threat group known as SideCopy in May 2023 to infiltrate organizations within a specific geographic area.
 

Early 2022 Sample

Hashes (md5, sha-256)21b7319ae748c43e413993ad57e8d08c942865d0c76b71a075b21525bd32a1ceca830071e5c61123664bd332c7a8de2a
File Namealuminio.rar
File Size3840823


“Aluminio.rar” decompresses “aluminio.exe”, which is the AllaKore RAT payload. Worthy of note is the fact that new commands in the Spanish language have been added to the original RAT payload.

Figure 2: Custom function names

This earlier sample reaches out to uplayground[.]online, a domain which was in use from late 2021 until mid-2022. The endpoint of “/registrauser.php” was originally used as the AllaKore server. The endpoint “/license.txt” was used as an update location, always pointing to the latest version of the threat actor’s RAT. A breakdown of the custom functionality is given a little further down in this report.
 

Late 2022 Sample

Hashes (md5, sha-256)e5447d258c5167db494e6f2a297a9be8bf26025974c4cbbea1f6150a889ac60f66cfd7d758ce3761604694b0ceaa338d
File NamePluginIMSSSIPARE (1).zip
File Size14220446


The file obfuscation was changed in late 2022. This file has the following structure:

  • PLUGINIMSSSIPARE (1).zip
    • _
    • INSTRUCCIONES.txt
    • InstalarPluginSIPARE.zip
      • InstalarPluginSIPARE.msi

The instructions read:

Figure 3: INSTRUCCIONES.txt

Translated, this reads:

INSTRUCTIONS

1.- EXTRACT THE CONTENT OF THE INSTALARPLUGINSIPARE.ZIP FILE
2.- RUN THE FILE CALLED “INSTALARPLUGIN”
3.- WHEN YOU FINISH THE INSTALLATION YOU WILL BE ABLE TO LOG IN NORMALLY

“InstalarPluginSIPARE.msi” is built with Advanced Installer 18.3. This file deploys a .NET downloader and a couple of PowerShell scripts for cleanup. “ADV.exe” is the .NET downloader, while the PowerShell command employed is:

“C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe” -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command
“C:\Users\admin\AppData\Local\Temp\AI_4ECB.ps1 -paths ‘C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\file_deleter.ps1′,’C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\aipackagechainer.exe’,’C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files’,’C:\Users\admin\AppData\Roaming\ADV’,’C:\Users\admin\AppData\Roaming\ADV’ -retry_count 10”

Both “file_deleter.ps1” and “AI_4ECB.ps1” are the same file, with sha256  80C274014E17C49F84E6C9402B6AA7D09C3282ADC426DA11A70A5B9056D6E71D. They are used to clear out the ADV directory once the final payload is delivered.

The “aipackagechainer.ini” file shows the installation and execution parameters:

[GeneralOptions]
Options=bh
DownloadFolder=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\
ExtractionFolder=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\

[PREREQUISITES]
App1=4.4.7

[App1]
SetupFile=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\ADVin\ADV.exe
Options=ip

[PREREQ_CHAINER]
CleanupFiles=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\ADVin\ADV.exe
CleanupFolders=C:\Users\admin\AppData\Roaming
CleanupScript=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\file_deleter.ps1

This shows the MSI installation path and execution chain. “ADV.exe” is the .NET downloader that will be run first, followed by the “file_deleter.ps1” script, which removes the installation files.

Hashes (md5, sha-256)2c84d115a74d2e9d00a14f19eb7f81292843582FE32E015479717DA8BF27F0919B246A39495C6D6E00AC7ECA8B1D789C
File NameADV.exe, App.exe
File Size47104
Created2039-08-06 15:13:14 UTC


“ADV.exe” checks ipinfo[.]io for a geolocation in Mexico with the obfuscated function below. If MX is not in the response string then the downloader exits.

Figure 4: Function checking for Mexican geolocation

The rest of the downloader’s execution deobfuscates strings and then downloads content from hxxps://trapajina[.]com/516. The file is saved as “kaje.zip”. “Kaje.zip” is decompressed into the final payload, “chancla.exe”.

All payloads utilize the user_agent “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;)”.

“Chancla.exe” can also be found at hxxps://dulcebuelos[.]com/perro516[.]exe.
 

AllaKore RAT

AllaKore RAT, although somewhat basic, has the potent capability to keylogscreencaptureupload/download files, and even take remote control of victim’s machine.

Hashes (md5, sha-256)aa11bedc627f4ba588d444b977880ade6d516a96d6aa39dd9fc2d745ea39658c52ab56d62ef7a56276e2e050d916e19f
File Namechancla.exe
File Size7696896
Created2023-09-15 07:26:42 UTC
CopyrightCreatiUPRPS Win Service
ProductCreatiUPRPS Win Service
DescriptionCreatiUPRPS Win Service
Original NameCreatiUPRPS Win Service
Internal NameCreatiUPRPS Win Service
File Version3.4.0.0
CommentsCreatiUPRPS Win Service


“Chancla.exe” is the threat group’s modified version of AllaKore, which contains the following functionalities besides those originally found in the open-source AllaKore RAT:

  • Additional commands related to banking fraud, targeting Mexican banks and crypto trading platforms.
  • Reverse shell through command <|RESPUESTACMD|>.
  • Clipboard function through commands <|CLIPBOARD|>, which only executes Ctrl+C, and <|PEGATEXTO|> “grab text”, which copies content by executing the shortcut Ctrl+C. It can then paste copied content via the shortcut Ctrl+V.
  • Downloads and executes files, providing an easy way for the RAT to become a loader and install additional components not hard-coded in the malicious binary.

Figure 5: PEGATEXTO function
 

Figure 6: Descarun function

This sample utilizes uperrunplay[.]com as the C2 with the same URL as previous campaigns, using as endpoints “license.txt”, “license2.txt”, and “registrauser.php”. At the time of writing they pointed to the following:

  • license.txt: version_400_https://domain[.]com/perro516[.]exe is a placeholder for AllaKore RAT itself; when pushing for new versions, the threat actors changed the domain to dulcebuelos[.]com.
  • registrauser[.]php is the C2, which is used for communication with the RAT.
  • license2.txt: http://23.254.202[.]85/Chrome32[.]exe
  • Chrome32.exe (SHA256: 0b8b88ff7cec0fb80f64c71531ccc65f2438374dda3aa703a1919ae878f9eb67) is a Chrome extension that blocks access to URLs starting with enlaceapp[.]santader[.]com[.]mx/js/vsf_generales/.

Figure 7: Chrome extension blocking rules

Network Infrastructure

The network infrastructure is not obfuscated in any way other than regular domain updates. The majority of servers used in this campaign are purchased through Hostwinds, while the domains are registered through eNom LLC.

DomainTypeFirst SeenLast Seen
flapawer[.]comC22023-12-13Active
chaucheneguer[.]comC22023-10-27Active
hhplaytom[.]comC22023-10-05Active
zulabra[.]comC22023-04-29Active
uperrunplay[.]comC22022-11-08Active
uplayground[.]onlineC22021-05-122023-04-28
praminon[.]com/519Delivery2023-12-23Active
trapajina[.]com/516Delivery2023-10-07Active
zaguamo[.]com/500Delivery2023-05-10Active
pemnias[.]com/433Delivery2023-05-102023-10-16
isepome[.]com/435Delivery2023-02-03Active
narujiapo[.]com/435Delivery2023-05-30Active
manguniop[.]com/422Delivery2022-06-062023-06-06
debirpa[.]comDelivery2023-05-02Active
dulcebuelos[.]comDelivery2023-03-15Active
iomsape[.]comDelivery2023-02-03Active
bstelam[.[com/431Delivery2022-08-062023-08-05
rudiopw[.]com/430Delivery2022-06-292023-06-26
ppmunchi[.]comDelivery2022-05-182023-06-30
pelicanomwp[.]com/422Delivery2022-04-292023-04-29
andripawl[.]comDelivery2022-04-032023-04-19


All of the C2s utilize the same HTML and favicons, and are traceable with the following MMH hashes:

http.html_hash:1125970204
http.favicon.hash:-2055641252

IP Match MMH
192.119.99[.]234
192.119.99[.]235
192.119.99[.]236
192.119.99[.]237
192.119.99[.]238
23.236.143[.]214
23.254.138[.]211
23.254.202[.]85


Aside from a short resolution of uperrunplay[.]com to 23.236.143[.]214, these C2 are also hosted on Hostwinds servers.  

All delivery servers are hosted on 23.254.136[.]60 and utilize ZeroSSL certificates. The server has been used for delivery purposes since 2022-04-03.

BlackBerry telemetry shows that remote desktop protocol (RDP) access to C2 servers is accomplished via express-vpn and mullvad-vpn, in addition to the use of Starlink IP addresses located in Mexico. The large number of Mexico Starlink IPs and long timeframe of connections indicate the geolocation of the threat actor is likely Latin America.
 

Targets

This threat actor is specifically targeting Mexican entities, especially large companies with gross revenues over $100M US. All lures have utilized legitimate and benign Mexican government resources, such as the IDSE software update document “guia_de_soluciones_idse.pdf” and the IMSS payment system SIPARE.

Figure 8: IDSE PDF header used as a lure

During the installation process, the .NET loader confirms the Mexican geolocation of the victim through IP location services, before proceeding to download and deploy the RAT.

Targeting is indifferent to industry, as we saw targeted entities across Retail, Agriculture, Public Sector, Manufacturing, Transportation, Commercial Services, Capital Goods, and Banking industries. The actors are most interested in large companies, many with gross revenues over $100M USD. We know this because the lures used only work for companies that are large enough to be reporting directly to the Mexican government’s IMSS department.

Function naming inside the RAT imply specific targeting of banks residing in Mexico. Prefixes to those names explicitly reference six Mexican banks and a Mexican crypto trading broker.

Attribution

The targeting of Mexican entities by this threat actor has been ongoing since at least late 2021. In December of 2021, Mandiant released an investigative report about FIN13, where they state that only two financial actors that they know of limit their targeting to one single country over a timeframe of multiple years. Only 14 of the financially motivated groups they track persist for longer than one year. These statistics point to this actor being unique in its persistence and regional targeting.

Custom functionality built into the RAT gives its operators specific fields to paste credentials and data related to their target’s banking infrastructure. This implies a segmented operation, where operators utilize the RATs to upload victim data to the C2 server in a specific format. That can then be used by the malicious individuals in charge of conducting fraudulent banking actions to take further action.

Function naming in Spanish, and Mexican Starlink IPs accessing RDP ports of the C2 indicate that this actor group is mostly likely located in Latin America.

Conclusions

This threat actor has been persistently targeting Mexican entities for the purposes of financial gain. This activity has continued for over two years, and shows no signs of stopping.

The number of sightings from within BlackBerry’s own internal telemetry, and the vast number of sample submissions to VirusTotal (the majority submitted from within Mexico itself), point to an extremely active group targeting any large Mexican company they can contact, with the hope of exfiltrating financial information.

APPENDIX 1 – Indicators of Compromise (IoCs)

File IoCs

sha256Type
94489764825f620e777a34161d0ce506a49eec20bc27c3d63370e493a737d50e.NET Loader
884789b63fe432938e1bb76c9976976c1905b74c2974340a60eb7ea8261d48fb.NET Loader
b18e0c7c9569b33187e2beaf3318e99b50ed40c54e7dee8a26ce711bc782b150.NET Loader
4085c9829e2b18fd4721688dc25c0611f260b6e4f827b667999d9603cfe5e2d7.NET Loader
66f5b7ca8760fb017b0750441707c24eaa916d5b8aa021b3aa92082c6129ca22.NET Loader
0a3aa8c2485a3b8525f044f33c6d268ab79e1942885792d95f6a1c0c45be6106.NET Loader
84a468a25a8c65dac51f520732d2e9e6afa6b59e4b2f485c262a9bd305cd61c0.NET Loader
9402128b9602fbb485be887def8cd72c3265cd09f6dbf4e0a3ad2ea42da66870.NET Loader
e4a6be2fb70603f1545641240680b44e21b5601e8016c0d144711423eef9778e.NET Loader
d5ac0f4efa8396ae9ba74cc3ea2a62485e4d49a930efed0d69b043162bb66cc2.NET Loader
d63447877be48156032cc9ec9def7e25d62e7bc544bd3e19da75c0f55e09dcc0.NET Loader
7bb22d7013dede7b866ab25cbe32246228c46bd8a951b5a72557b7280ebb066f.NET Loader
2867d87bbc088b8cc50ff66f1d9c064cba978433cdb900649bbbb44370f8cbd1.NET Loader
b00fee1c275d12a05ca8a06ab54ffac2e3e8da68fd2be450f34c36c8a38e4887.NET Loader
e7e2a6fe7325ad7945a6020202ab5581e0a204f8b8ad9ffc48c18f129a6f8c46.NET Loader
42f1d24e135b9d3e4fd38e1ec3ab20cae495ec3526ae4037d937c6344914e923.NET Loader
88a9e666d4231a98a909ae5780778b85ffdb8a5207b8f7dfca2a0911cc0f6580.NET Loader
872c58b72962c1f0696b26563425c6734cc2246d1ea3375f675c1bd1ca915e59.NET Loader
49de6df83c5fe55c4e45b5744203513832f0435dbbd7913a3ce7f827afe51236.NET Loader
0eb20898a0a3c1f4a4210a819fa0bd8f8574db3413db8b85e381ab0c1963791a.NET Loader
d928ce7383d8582163c36773d1d97360a5ded812d11ee0faf99c7afa78251850.NET Loader
8a1381a829776220ec4bf0a9d36cf6842a5638b0190e667ee696bab04b8e7c9f.NET Loader
0835d21b60e3443892988d675f20393d79503ca6e37a889d9f7da19c321b3426.NET Loader
4276b4b4504edff275a4d56b99f66b23c48b49f4081abab36bf4d8f88818e2da.NET Loader
8cc14643ec452aa35e709ae34b874e0f070a20b174e7eeb2a046351a329cdde9.NET Loader
0eeb357abcd3864538dc26000f3a1d706c2c330fadfb845f7fc350b382d00c4e.NET Loader
61037a3321e143d85cdf77abf31f33ca5a701da0b84cef172bcf89457dfb4e7d.NET Loader
0324d8ed29829e5fa7add2bab1e73f2ad0094e80867caf57d35369a5e22fe79c.NET Loader
2444dd2bb0a0fa0631935ddeb829b753d1ba46c9149ee45f79794903f26e16fa.NET Loader
19d357351a29f6530624556bd31c475d56ea9ad76f31eb28f7d251fa3c751d62.NET Loader
da0b73d2f42f0232762f7c8d3eaa6863969f1982b798cd9fc19431c901ae4635.NET Loader
2843582fe32e015479717da8bf27f0919b246a39495c6d6e00ac7eca8b1d789c.NET Loader
b1489b216fb25bcf57329546c160800645c0a6620add3c8323e2b589d7150e9e.NET Loader
a72018420f8aab9cb431d120bfa06acd09d777a88aa186ec495dffdc22395f0e.NET Loader
2a0d1c7354b43acd6fd0303beb6277db92691f03e37baea0c39249ae0d8b5301.NET Loader
906d49817970955847f64d2f868e418579549e9cfa91c575f38342a1bd66ad4b.NET Loader
e01b10fc4131b8eec32148e559b95fd82da817166b831ae32a0fa89be883e8e9.NET Loader
08f0954be207eaa1a85cdc9eed4ad2737613bbbf240a7c30b658b583c3ddef0c.NET Loader
3499e5bd9daad587e05337bae5e953f279ebee20d9cf6d2a1707be28ce6295bf.NET Loader
1230b1a189b17a4da79bc10bde0fbb439c37997c8f927d4a80c61b006d8b3267.NET Loader
17213aa5a43fcf6a6baf5e784f33411cd0fa3a2fb00418486085c5a24695af7c.NET Loader
c86f9d739ea3c6b57fd070892be9d1d4b3c50fca8a8c3e05cf84875378fcc649.NET Loader
b61c027adcef5d2108dc13735cef5d4bce295f13de6032f3fee5129be74816b6.NET Loader
968f90a4567cdf67885c116379c792b4eeda1f7f8bd2cf34daf8c58b17f2ec0f.NET Loader
a65091e8912e4b65458041f866d37410b46e7a9432a57e0d7dc01ca4a21f3940.NET Loader
bf3e96bb6273890f48b566e9d484e0e747e8f21e3dbd6606a39edf98faedc7b1.NET Loader
6d3a50a354bcf2df226ce1065563755b3ab16d2e440900e3b80a9f0571c0f73a.NET Loader
da61eb41bffd50a07793ccc8b2ead76f5c49313445f07aa685c28523bbf39a00.NET Loader
caa7ef0b9a6ea51752813b7107348f46a3475acf9b3f1242e675f6a1296ccb2c.NET Loader
eaf26e1d12e0ae355441499bdf9d13c582540f3876bddfdef95c676f185609b8.NET Loader
cee2730a6e4100e3b865cb6fee41f77ec5a8bfce186b1e121ebb4236cd3dff88.NET Loader
e1246fbac51f8369292aec96270dd4b2a62fd148d9b6f2ca8ee208631237a44f.NET Loader
f292911c11a15001ca66e90df341f8763d4d149482f06f85cc2873651d205a6b.NET Loader
8d4d672eeba756c7ace20aea90219c8f7409b23ecc9c2eb47a31b1cd2d3577a6.NET Loader
7474cd11f62a53f0f3035fb62753561067cd771ec3e5d73823e74d4f4b8d31cb.NET Loader
74f637b21f7c68e6d56f0d64378336b28f500d82d4eb876d5b1cbbfe3a952ac2.NET Loader
bbd94254223f4ec3edbcc44c5d6d5ae5029c8d9c4512f02d3c61d2a28c3c5416.NET Loader
31e060d82ef68613d26b5e47c3934d482fc2975dad71fa6e677900cc8a938116.NET Loader
55455d2488d127fc7bb6976821c36ad5661a5e57e2d57dcc7ae7cb12ba7282d3.NET Loader
301f27dc88655927ce45b0c1138b4931b0d3aa7dcfdd424315d5c7339c540e52.NET Loader
5c1306596589d0b0c0f0d04be6687e5c2dbe92fbba493760b0ded7a47942fbb1.NET Loader
bc81f08ad4c543a35f899da8d45787751b50d221d67dae083d62097631ace059.NET Loader
582aa139fb1c315f68106cc2e50c10835874e8bc77aeb7302453f9aa3c25d920.NET Loader
7bced78c519befdb1b7ef3b973250f4ee2d3c2404309cea372df16b8ff5b1d84.NET Loader
8185e9784adfd6c2f1a286a724e7e374008667ae1f50cfa1a58451a5c33af536.NET Loader
05d0dd9916646c6144506bb26cab500d807ab015609bd19634e890fbeb63e48f.NET Loader
f8262a0c746bbfbb3e7cb17398953cd8391cdf416b759d4be1f1fc11611f4eb3.NET Loader
14f15b1d7951f078bbf412bb2ef774c812efff70280b86b8176994374c0e766d.NET Loader
ec1ea0b01ad6cd431c8441dc83537c3d9ef00994f9dd76a3041ff50c2526ce38.NET Loader
53e196f293b4f99face97449d18106f7dc9df5b9170354d1c1da27f9ec71849c.NET Loader
a20672a07f3cf2e67682486c1a2b6684e9a50ca129260a74353d1664be25aa92.NET Loader
cdf35bb3a256d4bd4e09a2a9b19e4682a3952233c720e37d9ae88e4050b8473a.NET Loader
b9ea5ecbda6abd328bd7370d250fa9ab5a38a104955ac383cecee8ce581b9d80.NET Loader
933858679466d57b4ea47003f08d864b1a417d7be75008e42ecd62f05dde7964.NET Loader
3ad89c70d77b9fec35bbbac25d3dabca9d6c1fc055b8570a2d34b3af5ac58aef.NET Loader
55f1b8346fc2e94791431a237d8a38fb6bb2014380b1905955d12bccb8c24e79.NET Loader
c1e18c6a611ccf23971a43fcdc0186d6a3f2bb0ee792140c35fc1e1a34582551.NET Loader
225d10a0b3880eebafb327769e39a2484161e21e5d07ddef8fe16b65d2a90113.NET Loader
dcea0d579d3d6ab2d29a3665e3e0c3849ccd42abe390b80bf362c79088a1ebbe.NET Loader
4865a260754a6a8740a85c40ef4185420334f9b21cc0d865295fdae4bb1e94a4.NET Loader
ae192d14a916ecdb55803830eace5ef820b1b520a751b6b689fa9591f6f292bc.NET Loader
bdc0a1ad95b1a62ae1e702681949fea485f42d5884aca78df02a64869688192e.NET Loader
c625ac5c134a74d84f8ce91504e41af15972ec71c064f7a5d31c588a8ff2c332.NET Loader
ea357305411b9c6b27657782e2bb14bc0c18149a7ad4093b30c12b041f785933.NET Loader
f76f5c12b81aa6d7fac0eeb4b775004c525ae50ebb049b6f4177417104eb8ef4.NET Loader
2be8c01e5ffcabb566212268a63ef3c42db5c57d3e879abe99b06b48ac9bacda.NET Loader
46f5ffcc04ea1eaf09cfce1a9329624c85a5c5435d91444a55ce02fceebfd2f7.NET Loader
ed7da8aef7dbe652b429d64a918a943c6586e1d4cec353c84663f8b451c09874.NET Loader
3c1be333e85f0243cdbcecfd727e86d582569809e2c45fefb64261b473ca1734.NET Loader
f0dfa2297df28f64dc38da3a54bbef5c499691a8cf05de0f08e20f4f7077e67c.NET Loader
40fc64907dcd0063e5f2b604fe78d0484d821cb9cda199d3cdca5e0219b43587.NET Loader
fc39aa0d2486c746f9b8d4d459a65517a21f961fb24ec25c4470f0b86e8c7cae.NET Loader
4bfa7c32d9eb8f7468a1919dbf9698e971052c091de4b66b125ba18b04bbe607.NET Loader
d8e22f8b5964428b4a29e5aad9ec9186bd96e7d29bc56ede8821a24294629931.NET Loader
bc3fcaa746c261af6b72ee0720fa739d7f79df71709b7067f016e30578f94c22.NET Loader
263bc3729f5785acb6647af950f3fe0a0cbbe05d2fcc9639276852ba39ecbaa2.NET Loader
f31a6b19572b668dbb473a0e43e53b9c1e5020b057421de8fc019c150ed3fb38.NET Loader
ee32169bef700d3dcceb86a101e188e5c0146a1104ee8809d1e031d93cdee36c.NET Loader
9946fb2e81d07ad7780a20cf06b59bd27177c8bd6ed543e13089c47957adab1a.NET Loader
c5a4bf56670d51fed1e88050eddb003f39af0e22fbb01163679fef758b000392.NET Loader
4524d47ca7b7d71764f12807fd3722e4b890388eb2f5bf975d58c6afd0221fb3MSI Installer
8e2fc9de5da07a6cf6cfeb3349185e282cec5eed944cb66873136bd697389516MSI Installer
2f9f289224482204b0f3bb4f0af8fe99f235daea99fe435cbc53dcbb9bc22bb0MSI Installer
434ec6d3575f72e680a8bf9211b3a853d80457644ff01d7acc41657b9bfdca24MSI Installer
eee76b24be7121434ec7ad1ca39792cbfec594916f8e143fad18698955ba0870MSI Installer
81c5b7940a69854c72cb99d4af6a1092f0adc9182e9e8fd729b1857126d096baMSI Installer
70d6cf1d106783bced15e4bd31b91a6be8ae9d9746955da60cfdf1cb1f9dbf7dMSI Installer
77607c0a0a1dcaa4f1ba27e17d5eba5d79fbbf64e1e71b8f4e03a6f724653355MSI Installer
80bc99cd883421432e034d0c714d892ecaac6385fd86bd74e9291a736e118f28MSI Installer
d48d277f7891ed1e2797d551c1470eae87af7b82746fa8dc2083440c42bcc112MSI Installer
71a106f9fbce3e5b48baaacc250beb292cbc0c63190c3ae390f69c17e0be5465MSI Installer
c9c18f3eb35b9359c52737e12c35701401867b91aad0ca17822e8a82fce46001MSI Installer
9cbf221cfb8fe33c0a3e352742c8b9b931fef5b5c6a07e33cdeebe97b6113622MSI Installer
335b69874aff8bc4c45404917fb34523c7205854a979a5293b40d0b2aa52ed89MSI Installer
6eed0ff8083a07cf43850e74a9667267613783721834c7593338f888b419ca47MSI Installer
5925f48a5b1abc6d25858bf7d3cfc4ec98991ecc5fddebe79b80c29789a2f5feMSI Installer
a6fbcc0b368109a964e55869969d33db7287726b2e0dbf46bdcaa91f6adc1edbMSI Installer
98f7bda5f3c4d7f845b6812d774765907b7b943b7d97386c1a8135c2051b2225MSI Installer
8a444480e1a313ce35b3535c8df8f5511817e57897e7b5de0e36b5973c21fb82MSI Installer
a8f7253907eb8ab7021c58cc8a03c32f33d4a3a86494b9198b68cec3219a968cMSI Installer
aeda5536fe7239843130547c677d2094883fd45aafeffb91c196c9b12c36232bMSI Installer
750baeecb35d18010fbdfd0c90ecd4be3083a51b39837f596f0887bfd294e170MSI Installer
28107b1104bb5fd61d49b64460a0f1f75c664930b251849361783cf60d518c7dMSI Installer
56f7283604960cca96200e5da47dd6a4408086a77973f96ca230b2a583545cd8MSI Installer
490bd1a59cb2d43828c301d943b7c6a848f2b70d901d69234ccc7c88db8f8ca7MSI Installer
44339460d0dfe01d68c10c9a084f1d4530b0c135d6be55bcbc8666822b454f3fMSI Installer
39be7067ccedfac84b9ff7d15bc6297d8d8637357aaa4b68286ed8af2e65a2e7MSI Installer
4edc594040c0a3b0dfa5b343d1f000271b0e6d3bd3f29988c360735c6ffd9fc0MSI Installer
9103f43dcf834b696ff3f6f4ea58dc0bdf14e1483f91420313157bb1a41ba76bMSI Installer
13d88bcf312896fae6d03d59c564bc9521e0916096098cfe41508395955aab0eAllaKore
168ac972b7f0610f978e50b426e39938f889422b1bcfaf9cddf518e3e1ed9aa9AllaKore
2ff3cdb886b1caf3eaad9a2467bfa16b9269b88695b76bb6a0da481458e30aa3AllaKore
305cde85573131949fab5a3973525a886962c4f8c02558d3a215689a49f53406AllaKore
33578228c11ad0b3d86a198a32b602aa93a91d2feeae2fb2e83f8c6595c8acd9AllaKore
422c9471c29fe17457e142df1a567c273212019eb20b0b4783891c529c1248a8AllaKore
46c14c2f0d04710f53db16473877d3315c13e1a33a3236846a87e8f91808c8ebAllaKore
49a04f31e49cee3ae65e9d776bc0f8aedf40c52fafcd002ccf7de4044abec2ddAllaKore
52134d02cd77f8a65fd5b15c7c57ff2909ac39f0b5779592c533a18bf6b23879AllaKore
5961b42f8efad58c437bdad862a0337c6bcd57f7cbf35184f2de60f4609fd477AllaKore
673d4fe6f9e46fae37649c525f1d0d89cfd3b8310210dff4ddc7349418d9e80fAllaKore
6d516a96d6aa39dd9fc2d745ea39658c52ab56d62ef7a56276e2e050d916e19fAllaKore
89206ca169747d4aa70d49350415f21df7f1a00a3bf8d0c253b6beda2eb919d9AllaKore
8fce1d24cf952528169f473b9462724482511615ed31165710e5e3a74cefdd02AllaKore
911e45d053bdf3a41e812203ae29db739cf3505a4e37209936c1cc83ee42e8e9AllaKore
9221470c77b46bcd457951ae3a3d31d60ad4602ea9d152d51d1e4f9a5b3bca3aAllaKore
a5af60355c423fa4cc9695b86a5697f847259eaee724065162d303cc4523d447AllaKore
b858d451804a641fc51dd6d3c50668d6a08dc9033252aee52f582264a970cff8AllaKore
bc423bd9acd7c5a1f2849091f21de5429f2fc79e2655f92866e1c8b7b1f96f7eAllaKore
c778739c5214aa580cba05f01afe2d9fc8f12d3fa7ad864a279bcb4ad6d266b4AllaKore
cde045a0269a5a05928128c6ca7c030947f96034c9204e2b747a0d626e3f22f3AllaKore
e2d82ab6cc71a1d8d2a2ba2312b0d8a4a3d23e3902d5b180383d9e406097a9ffAllaKore
ee772e1260c6adc532bed57cacdbb6e0b8db311996074ad42eaf1aefd243187aAllaKore
eecc201c80809b636d945aa537b954dd2e39382c36067a040a672167a1257a09AllaKore
fba031543c3ab694a09e603a7df6417f93742f0b87f9fedaf9ab84d11340ccb5AllaKore
fd8c49d00effa8bc730e06ae217655a430ba03122ca974945d41642299853dfaAllaKore


Network IoCs

IoCType
flapawer[.]comC2
chaucheneguer[.]comC2
hhplaytom[.]comC2
zulabra[.]comC2
uperrunplay[.]comC2
uplayground[.]onlineC2
192.119.99[.]234C2
192.119.99[.]235C2
192.119.99[.]236C2
192.119.99[.]237C2
192.119.99[.]238C2
23.236.143[.]214C2
23.254.138[.]211C2
23.254.202[.]85C2
23.254.136[.]60Delivery
trapajina[.]comDelivery
narujiapo[.]comDelivery
zaguamo[.]comDelivery
debirpa[.]comDelivery
isepome[.]comDelivery
iomsape[.]comDelivery
pemnias[.]comDelivery
bstelam[.]comDelivery
rudiopw[.]comDelivery
manguniop[.]comDelivery
ppmunchi[.]comDelivery
pelicanomwp[.]comDelivery
andripawl[.]comDelivery
dulcebuelos[.]comDelivery


APPENDIX 2 – Applied Countermeasures

Yara Rules

rule MX_fin_downloader_kaje_decode_func {meta:author = “BlackBerry Threat Research & Intelligence Team”
description = “Locates .NET function that deobfuscates kaje filename”
date = “2023-12-19″strings:$s1 = {1A8D??00000125161F6A0658D29C25171F620659D29C25181F6B0659D29C25191F660659D29C0B}condition:all of them}
rule MX_fin_downloader_elearnscty_string {meta:author = “BlackBerry Threat Research & Intelligence Team”description = “Locates unique strings to the MX fin .NET downloaders.”date = “2023-12-19″strings://ElearnScty Testing course$s1 = {52 00 57 00 78 00 6c 00 59 00 58 00 4a 00 75 00 55 00 32 00 4e 00 30 00 65 00 53 00 42 00 55 00 5a 00 58 00 4e 00 30 00 61 00 57 00 35 00 6e 00 49 00 47 00 4e 00 76 00 64 00 58 00 4a 00 7a 00 5a 00 51 00 3d 00 3d 00}condition:all of them}
rule MX_fin_custom_allakore_rat {meta:author = “BlackBerry Threat Research & Intelligence Team”description = “Find MX fin custom function names and prefixes.”date = “2023-12-19″strings:$main = “<|MAINSOCKET|>”$cnc1 = “<|MANDAFIRMA|>”$cnc2 = “<|FIRMASANTA|>”$cnc3 = “<|MENSAJE” wide$cnc4 = “<|DESTRABA” wide$cnc5 = “<|TOKEN” wide$cnc6 = “<|TRABAR” wide$cnc7 = “<|USU” wide$cnc8 = “<|ACTUALIZA|>” wide$cnc9 = “<|BANA” wide$cnc10 = “<|CLAVE” widecondition:uint16(0) == 0x5A4D and$main and2 of ($cnc*) andfilesize > 5MB and filesize < 12MB}


APPENDIX 3 – Detailed MITRE ATT&CK® Mapping

TacticTechniqueSub-Technique Name
Initial AccessT1189 – Drive-by Compromise 
ExecutionT1204 – User ExecutionT1204.004 – Malicious File
ExecutionT1059 – Command and Scripting InterpreterT1059.001 – PowerShell
Defense EvasionT1218 – System Binary Proxy ExecutionT1218.007 – Msiexec
Defense EvasionT1480 – Execution Guardrails 
Defense EvasionT1070 – Indicator RemovalT1070.004 – File Deletion
Defense EvasionT1140 – Deobfuscate/Decode Files or Information 
Command and ControlT1105 – Ingress Tool Transfer 
Command and ControlT10171 – Application Layer ProtocolT10171.001 – Web Protocols
Command and ControlT1219 – Remote Access Software 
Credential Access, CollectionT1056 – Input CaptureT1056.001 – Keylogging
CollectionT1113 – Screen Capture 
ExfiltrationT1041 – Exfiltration Over C2 Channels 

Original Source :
https://blogs.blackberry.com/en/2024/01/mexican-banks-and-cryptocurrency-platforms-targeted-with-allakore-rat