Buildings in Mexico City
Image: Oscar Reygo via Unsplash

Large Mexican companies targeted by financially motivated hacking campaign

Mexican companies with more than $100 million annual revenue should be on the lookout for a cybercrime campaign, researchers said Thursday.

Financially motivated hackers are infecting systems with malware known as AllaKore RAT to steal “banking credentials and unique authentication information,” researchers at BlackBerry reported.

“This threat actor has been persistently targeting Mexican entities for the purposes of financial gain,” the researchers said. “This activity has continued for over two years, and shows no signs of stopping.”

The report combines several pieces of evidence to conclude that “the attackers appear to be most interested in large companies” and that they are likely based in Latin America.

The lures used by the threat actors “only work for companies that are large enough to be reporting directly to the Mexican government’s IMSS department,” the country’s social security agency.

The idea that the attacks are coming from somewhere in Latin America stems from “the large number of Mexico Starlink IPs used in the campaign and the long timeframe of these connections, plus the addition of Spanish-language instructions to the modified RAT payload,” the report said.

The lures for downloading AllaKore RAT are sent via spearphising or “drive-by” attacks, in which a tainted website quietly sends code to a visitor, BlackBerry said.

AllaKore RAT is an open-source remote access tool. It was previously seen in espionage attacks against targets in India. Although it is “somewhat basic,” the researchers said, it has “the potent capability to keylog, screencapture, upload/download files and even take remote control” of a victim’s machine.

“Targeting is indifferent to industry, as we saw targeted entities across Retail, Agriculture, Public Sector, Manufacturing, Transportation, Commercial Services, Capital Goods, and Banking industries,” Blackberry said.

The report suggests a possible link to FIN13, an financially motivated group detailed by researchers at Mandiant in late 2021, around the time the current campaign appears to have begun.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Joe Warminsky

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.