Credential Theft & Remote Access: The Rise of AllaKore, PureRAT, and Hijack Loader

Essential Insights

1. Ongoing Threat Campaign: Mexican organizations are being targeted by the financially motivated hacking group "Greedy Sponge," which has been active since early 2021, using modified AllaKore RAT and SystemBC malware to steal banking credentials from various sectors.

2. Phishing Distribution Method: The campaign employs phishing techniques and drive-by compromises to deliver infected ZIP files that contain trojanized MSI files designed to deploy AllaKore RAT for remote access and control, including capabilities for keylogging and screenshot capture.

3. Geofencing Tactics: Greedy Sponge has enhanced its tactics by incorporating server-side geofencing measures that restrict access to final payloads, illustrating their operational longevity and success despite being classified as persistent rather than advanced.

4. Emerging Cybercrime Tools: New tools like Ghost Crypt and malicious Inno Setup installers are being utilized in attacks to bypass security measures and deliver additional malware, indicating an evolving landscape of sophisticated cyber threats targeting sensitive information.

Problem Explained

Mexican organizations remain under siege by a nefarious hacking group known as Greedy Sponge, which has been relentlessly deploying modified iterations of the AllaKore RAT (Remote Access Trojan) and the SystemBC malware since early 2021. This campaign predominantly targets various sectors, including retail, agriculture, and banking, aiming to pilfer banking credentials and authentication data for financial gains. Recent analyses by Arctic Wolf Labs reveal that the AllaKore RAT has been intricately engineered to facilitate the extraction of sensitive information back to the group’s command-and-control servers. The attacks primarily employ phishing techniques and compromised ZIP files, initially documented by the BlackBerry Research and Intelligence Team in January 2024, showcasing a deliberate strategy to employ malicious ZIP archives for the initial stage of infiltration.

The sophistication of Greedy Sponge’s tactics has evolved, incorporating enhanced geofencing mechanisms and the strategic use of legitimate software within, such as trojanized Microsoft installers designed to execute subsequent payloads. Arctic Wolf notes the operator’s persistent focus on Mexican entities, displaying a level of operational success indicative of a sustainable financial model despite their relatively rudimentary tactics. This sustained aggression underscores the ongoing threat landscape and demands vigilance across various sectors susceptible to such disruptive incursions.

Risks Involved

The persistent targeting of Mexican organizations by the Greedy Sponge group, utilizing sophisticated malware like AllaKore RAT and SystemBC, poses substantial risks not only to the direct victims but also to an array of interlinked businesses and sectors reliant on these entities’ operations. As these malicious campaigns permeate a wide range of industries—including retail, banking, and public services—the repercussions could cascade through supply chains and economic ecosystems, eroding consumer trust and financial stability. Businesses integrated into these networks may face severe disruptions, ranging from compromised data integrity to operational inefficiencies, as they grapple with the aftermath of such attacks. Furthermore, the exfiltration of sensitive banking credentials heightens the probability of widespread financial fraud, endangering not just individual organizations but potentially jeopardizing the entire financial fabric of affected regions. This multifaceted threat underscores the urgent need for robust cybersecurity measures across all sectors.

Fix & Mitigation

In an increasingly interconnected cyber landscape, the specter of credential theft and surging remote access threats—exemplified by nefarious tools like AllaKore, PureRAT, and Hijack Loader—necessitates prompt and resolute remediation. Timely intervention is not merely a tactical choice; it is a strategic imperative for safeguarding sensitive data and maintaining operational integrity.

Mitigation Steps

1. Implement Multi-Factor Authentication (MFA)
2. Conduct Regular Security Audits
3. Employ Endpoint Detection and Response (EDR)
4. Enforce Strong Password Policies
5. Train Employees on Phishing Awareness
6. Monitor Network Traffic for Anomalies
7. Isolate Infected Systems Immediately
8. Utilize Threat Intelligence Feeds
9. Update Software and Systems Frequently
10. Develop an Incident Response Plan

NIST CSF Guidance
The NIST Cybersecurity Framework (CSF) emphasizes the essentiality of identifying, protecting, detecting, responding to, and recovering from threats. For more granular insights, refer to NIST Special Publication 800-53, which provides comprehensive controls tailored to bolster security postures against such vulnerabilities.

Advance Your Cyber Knowledge

Stay informed on the latest Threat Intelligence and Cyberattacks.

Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1