Skip Navigation
BlackBerry Blog

Mexican Banks and Cryptocurrency Platforms Targeted With AllaKore RAT

Summary

A financially motivated threat actor is targeting Mexican banks and cryptocurrency trading entities with custom packaged installers delivering a modified version of AllaKore RAT – an open-source remote access tool.

Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process. The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.

The targeting we observed was indifferent to industry; the attackers appear to be most interested in large companies, many with gross revenues over $100M USD. We know this because the lures sent out by the threat actors only work for companies that are large enough to be reporting directly to the Mexican government’s IMSS department.

Based on the large number of Mexico Starlink IPs used in the campaign and the long timeframe of these connections, plus the addition of Spanish-language instructions to the modified RAT payload, we believe that the threat actor is based in Latin America.
 

Brief MITRE ATT&CK® Information

Tactic

Technique

Initial Access

T1189

Execution

T1204.001, T1059.001

Defense Evasion

T1218.007, T1480, T1070.004, T1140

Command and Control

T1105, T1071.001, T1219

Credential Access

T1056.001

Collection

T1056.001, T1113

Exfiltration

T1041


Weaponization and Technical Overview

Weapons

Malicious MSI installer, .NET downloader, customized AllaKore RAT

Attack Vector

Spear-phishing; Drive-by

Network Infrastructure

Statically hosted C2

Targets

Retail, Agriculture, Public Sector, Manufacturing, Transportation, Commercial Services, Capital Goods, and Banking


Technical Analysis

Context

A long running campaign targeting Mexican entities with large revenues ($1 million USD and above) was discovered by BlackBerry cyber threat intelligence (CTI) analysts. This campaign has been using consistently detectable C2 infrastructure since 2021 and has yet to be disrupted.

Attack Vector

Samples from the middle of 2022 and before, such as 942865d0c76b71a075b21525bd32a1ceca830071e5c61123664bd332c7a8de2a, were packaged as RAR files containing the AllaKore sample itself. RAR is a proprietary archive file format that supports data compression, error correction and file spanning.

Newer samples have a more complicated installation structure that delivers the downloader, compressed in an MSI file, which is a Microsoft software installer. The downloader first verifies that the target is located in Mexico, verified via network IP location services, before downloading the customized AllaKore RAT.

Installer files are structured like malspam attachments and have the following execution path:

Figure 1: RAT delivery process

What is AllaKore RAT?

AllaKore RAT is a simple, open-source remote access tool written in Delphi. It was first observed in 2015, and was most recently used by the threat group known as SideCopy in May 2023 to infiltrate organizations within a specific geographic area.
 

Early 2022 Sample

Hashes (md5, sha-256)

21b7319ae748c43e413993ad57e8d08c

942865d0c76b71a075b21525bd32a1ceca830071e5c61123664bd332c7a8de2a

File Name

aluminio.rar

File Size

3840823


"Aluminio.rar" decompresses “aluminio.exe”, which is the AllaKore RAT payload. Worthy of note is the fact that new commands in the Spanish language have been added to the original RAT payload.

Figure 2: Custom function names

This earlier sample reaches out to uplayground[.]online, a domain which was in use from late 2021 until mid-2022. The endpoint of “/registrauser.php” was originally used as the AllaKore server. The endpoint "/license.txt" was used as an update location, always pointing to the latest version of the threat actor’s RAT. A breakdown of the custom functionality is given a little further down in this report.
 

Late 2022 Sample

Hashes (md5, sha-256)

e5447d258c5167db494e6f2a297a9be8

bf26025974c4cbbea1f6150a889ac60f66cfd7d758ce3761604694b0ceaa338d

File Name

PluginIMSSSIPARE (1).zip

File Size

14220446


The file obfuscation was changed in late 2022. This file has the following structure:

  • PLUGINIMSSSIPARE (1).zip
    • _
    • INSTRUCCIONES.txt
    • InstalarPluginSIPARE.zip
      • InstalarPluginSIPARE.msi
The instructions read:

Figure 3: INSTRUCCIONES.txt

Translated, this reads:

INSTRUCTIONS

1.- EXTRACT THE CONTENT OF THE INSTALARPLUGINSIPARE.ZIP FILE
2.- RUN THE FILE CALLED "INSTALARPLUGIN"
3.- WHEN YOU FINISH THE INSTALLATION YOU WILL BE ABLE TO LOG IN NORMALLY

“InstalarPluginSIPARE.msi” is built with Advanced Installer 18.3. This file deploys a .NET downloader and a couple of PowerShell scripts for cleanup. “ADV.exe” is the .NET downloader, while the PowerShell command employed is:

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command
"C:\Users\admin\AppData\Local\Temp\AI_4ECB.ps1 -paths 'C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\file_deleter.ps1','C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\aipackagechainer.exe','C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files','C:\Users\admin\AppData\Roaming\ADV','C:\Users\admin\AppData\Roaming\ADV' -retry_count 10"

Both “file_deleter.ps1” and “AI_4ECB.ps1” are the same file, with sha256  80C274014E17C49F84E6C9402B6AA7D09C3282ADC426DA11A70A5B9056D6E71D. They are used to clear out the ADV directory once the final payload is delivered.

The “aipackagechainer.ini” file shows the installation and execution parameters:

[GeneralOptions]
Options=bh
DownloadFolder=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\
ExtractionFolder=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\

[PREREQUISITES]
App1=4.4.7

[App1]
SetupFile=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\ADVin\ADV.exe
Options=ip

[PREREQ_CHAINER]
CleanupFiles=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\ADVin\ADV.exe
CleanupFolders=C:\Users\admin\AppData\Roaming
CleanupScript=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\file_deleter.ps1

This shows the MSI installation path and execution chain. “ADV.exe” is the .NET downloader that will be run first, followed by the “file_deleter.ps1” script, which removes the installation files.

Hashes (md5, sha-256)

2c84d115a74d2e9d00a14f19eb7f8129

2843582FE32E015479717DA8BF27F0919B246A39495C6D6E00AC7ECA8B1D789C

File Name

ADV.exe, App.exe

File Size

47104

Created

2039-08-06 15:13:14 UTC


“ADV.exe” checks ipinfo[.]io for a geolocation in Mexico with the obfuscated function below. If MX is not in the response string then the downloader exits.

Figure 4: Function checking for Mexican geolocation

The rest of the downloader’s execution deobfuscates strings and then downloads content from hxxps://trapajina[.]com/516. The file is saved as “kaje.zip”. “Kaje.zip” is decompressed into the final payload, “chancla.exe”.

All payloads utilize the user_agent “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;)”.

“Chancla.exe” can also be found at hxxps://dulcebuelos[.]com/perro516[.]exe.
 

AllaKore RAT

AllaKore RAT, although somewhat basic, has the potent capability to keylog, screencapture, upload/download files, and even take remote control of victim’s machine.

Hashes (md5, sha-256)

aa11bedc627f4ba588d444b977880ade

6d516a96d6aa39dd9fc2d745ea39658c52ab56d62ef7a56276e2e050d916e19f

File Name

chancla.exe

File Size

7696896

Created

2023-09-15 07:26:42 UTC

Copyright

CreatiUPRPS Win Service

Product

CreatiUPRPS Win Service

Description

CreatiUPRPS Win Service

Original Name

CreatiUPRPS Win Service

Internal Name

CreatiUPRPS Win Service

File Version

3.4.0.0

Comments

CreatiUPRPS Win Service


“Chancla.exe” is the threat group’s modified version of AllaKore, which contains the following functionalities besides those originally found in the open-source AllaKore RAT:

  • Additional commands related to banking fraud, targeting Mexican banks and crypto trading platforms.
  • Reverse shell through command <|RESPUESTACMD|>.
  • Clipboard function through commands <|CLIPBOARD|>, which only executes Ctrl+C, and <|PEGATEXTO|> “grab text”, which copies content by executing the shortcut Ctrl+C. It can then paste copied content via the shortcut Ctrl+V.
  • Downloads and executes files, providing an easy way for the RAT to become a loader and install additional components not hard-coded in the malicious binary.
Figure 5: PEGATEXTO function
 

Figure 6: Descarun function

This sample utilizes uperrunplay[.]com as the C2 with the same URL as previous campaigns, using as endpoints “license.txt”, “license2.txt”, and “registrauser.php”. At the time of writing they pointed to the following:

  • license.txt: version_400_https://domain[.]com/perro516[.]exe is a placeholder for AllaKore RAT itself; when pushing for new versions, the threat actors changed the domain to dulcebuelos[.]com.
  • registrauser[.]php is the C2, which is used for communication with the RAT.
  • license2.txt: http://23.254.202[.]85/Chrome32[.]exe
  • Chrome32.exe (SHA256: 0b8b88ff7cec0fb80f64c71531ccc65f2438374dda3aa703a1919ae878f9eb67) is a Chrome extension that blocks access to URLs starting with enlaceapp[.]santader[.]com[.]mx/js/vsf_generales/.

Figure 7: Chrome extension blocking rules

Network Infrastructure

The network infrastructure is not obfuscated in any way other than regular domain updates. The majority of servers used in this campaign are purchased through Hostwinds, while the domains are registered through eNom LLC.

Domain

Type

First Seen

Last Seen

flapawer[.]com

C2

2023-12-13

Active

chaucheneguer[.]com

C2

2023-10-27

Active

hhplaytom[.]com

C2

2023-10-05

Active

zulabra[.]com

C2

2023-04-29

Active

uperrunplay[.]com

C2

2022-11-08

Active

uplayground[.]online

C2

2021-05-12

2023-04-28

praminon[.]com/519

Delivery

2023-12-23

Active

trapajina[.]com/516

Delivery

2023-10-07

Active

zaguamo[.]com/500

Delivery

2023-05-10

Active

pemnias[.]com/433

Delivery

2023-05-10

2023-10-16

isepome[.]com/435

Delivery

2023-02-03

Active

narujiapo[.]com/435

Delivery

2023-05-30

Active

manguniop[.]com/422

Delivery

2022-06-06

2023-06-06

debirpa[.]com

Delivery

2023-05-02

Active

dulcebuelos[.]com

Delivery

2023-03-15

Active

iomsape[.]com

Delivery

2023-02-03

Active

bstelam[.[com/431

Delivery

2022-08-06

2023-08-05

rudiopw[.]com/430

Delivery

2022-06-29

2023-06-26

ppmunchi[.]com

Delivery

2022-05-18

2023-06-30

pelicanomwp[.]com/422

Delivery

2022-04-29

2023-04-29

andripawl[.]com

Delivery

2022-04-03

2023-04-19


All of the C2s utilize the same HTML and favicons, and are traceable with the following MMH hashes:

http.html_hash:1125970204
http.favicon.hash:-2055641252

IP Match MMH

192.119.99[.]234

192.119.99[.]235

192.119.99[.]236

192.119.99[.]237

192.119.99[.]238

23.236.143[.]214

23.254.138[.]211

23.254.202[.]85


Aside from a short resolution of uperrunplay[.]com to 23.236.143[.]214, these C2 are also hosted on Hostwinds servers.  

All delivery servers are hosted on 23.254.136[.]60 and utilize ZeroSSL certificates. The server has been used for delivery purposes since 2022-04-03.

BlackBerry telemetry shows that remote desktop protocol (RDP) access to C2 servers is accomplished via express-vpn and mullvad-vpn, in addition to the use of Starlink IP addresses located in Mexico. The large number of Mexico Starlink IPs and long timeframe of connections indicate the geolocation of the threat actor is likely Latin America.
 

Targets

This threat actor is specifically targeting Mexican entities, especially large companies with gross revenues over $100M US. All lures have utilized legitimate and benign Mexican government resources, such as the IDSE software update document “guia_de_soluciones_idse.pdf” and the IMSS payment system SIPARE.

Figure 8: IDSE PDF header used as a lure

During the installation process, the .NET loader confirms the Mexican geolocation of the victim through IP location services, before proceeding to download and deploy the RAT.

Targeting is indifferent to industry, as we saw targeted entities across Retail, Agriculture, Public Sector, Manufacturing, Transportation, Commercial Services, Capital Goods, and Banking industries. The actors are most interested in large companies, many with gross revenues over $100M USD. We know this because the lures used only work for companies that are large enough to be reporting directly to the Mexican government’s IMSS department.

Function naming inside the RAT imply specific targeting of banks residing in Mexico. Prefixes to those names explicitly reference six Mexican banks and a Mexican crypto trading broker.

Attribution

The targeting of Mexican entities by this threat actor has been ongoing since at least late 2021. In December of 2021, Mandiant released an investigative report about FIN13, where they state that only two financial actors that they know of limit their targeting to one single country over a timeframe of multiple years. Only 14 of the financially motivated groups they track persist for longer than one year. These statistics point to this actor being unique in its persistence and regional targeting.

Custom functionality built into the RAT gives its operators specific fields to paste credentials and data related to their target’s banking infrastructure. This implies a segmented operation, where operators utilize the RATs to upload victim data to the C2 server in a specific format. That can then be used by the malicious individuals in charge of conducting fraudulent banking actions to take further action.

Function naming in Spanish, and Mexican Starlink IPs accessing RDP ports of the C2 indicate that this actor group is mostly likely located in Latin America.

Conclusions

This threat actor has been persistently targeting Mexican entities for the purposes of financial gain. This activity has continued for over two years, and shows no signs of stopping.

The number of sightings from within BlackBerry’s own internal telemetry, and the vast number of sample submissions to VirusTotal (the majority submitted from within Mexico itself), point to an extremely active group targeting any large Mexican company they can contact, with the hope of exfiltrating financial information.

APPENDIX 1 – Indicators of Compromise (IoCs)

File IoCs

sha256

Type

94489764825f620e777a34161d0ce506a49eec20bc27c3d63370e493a737d50e

.NET Loader

884789b63fe432938e1bb76c9976976c1905b74c2974340a60eb7ea8261d48fb

.NET Loader

b18e0c7c9569b33187e2beaf3318e99b50ed40c54e7dee8a26ce711bc782b150

.NET Loader

4085c9829e2b18fd4721688dc25c0611f260b6e4f827b667999d9603cfe5e2d7

.NET Loader

66f5b7ca8760fb017b0750441707c24eaa916d5b8aa021b3aa92082c6129ca22

.NET Loader

0a3aa8c2485a3b8525f044f33c6d268ab79e1942885792d95f6a1c0c45be6106

.NET Loader

84a468a25a8c65dac51f520732d2e9e6afa6b59e4b2f485c262a9bd305cd61c0

.NET Loader

9402128b9602fbb485be887def8cd72c3265cd09f6dbf4e0a3ad2ea42da66870

.NET Loader

e4a6be2fb70603f1545641240680b44e21b5601e8016c0d144711423eef9778e

.NET Loader

d5ac0f4efa8396ae9ba74cc3ea2a62485e4d49a930efed0d69b043162bb66cc2

.NET Loader

d63447877be48156032cc9ec9def7e25d62e7bc544bd3e19da75c0f55e09dcc0

.NET Loader

7bb22d7013dede7b866ab25cbe32246228c46bd8a951b5a72557b7280ebb066f

.NET Loader

2867d87bbc088b8cc50ff66f1d9c064cba978433cdb900649bbbb44370f8cbd1

.NET Loader

b00fee1c275d12a05ca8a06ab54ffac2e3e8da68fd2be450f34c36c8a38e4887

.NET Loader

e7e2a6fe7325ad7945a6020202ab5581e0a204f8b8ad9ffc48c18f129a6f8c46

.NET Loader

42f1d24e135b9d3e4fd38e1ec3ab20cae495ec3526ae4037d937c6344914e923

.NET Loader

88a9e666d4231a98a909ae5780778b85ffdb8a5207b8f7dfca2a0911cc0f6580

.NET Loader

872c58b72962c1f0696b26563425c6734cc2246d1ea3375f675c1bd1ca915e59

.NET Loader

49de6df83c5fe55c4e45b5744203513832f0435dbbd7913a3ce7f827afe51236

.NET Loader

0eb20898a0a3c1f4a4210a819fa0bd8f8574db3413db8b85e381ab0c1963791a

.NET Loader

d928ce7383d8582163c36773d1d97360a5ded812d11ee0faf99c7afa78251850

.NET Loader

8a1381a829776220ec4bf0a9d36cf6842a5638b0190e667ee696bab04b8e7c9f

.NET Loader

0835d21b60e3443892988d675f20393d79503ca6e37a889d9f7da19c321b3426

.NET Loader

4276b4b4504edff275a4d56b99f66b23c48b49f4081abab36bf4d8f88818e2da

.NET Loader

8cc14643ec452aa35e709ae34b874e0f070a20b174e7eeb2a046351a329cdde9

.NET Loader

0eeb357abcd3864538dc26000f3a1d706c2c330fadfb845f7fc350b382d00c4e

.NET Loader

61037a3321e143d85cdf77abf31f33ca5a701da0b84cef172bcf89457dfb4e7d

.NET Loader

0324d8ed29829e5fa7add2bab1e73f2ad0094e80867caf57d35369a5e22fe79c

.NET Loader

2444dd2bb0a0fa0631935ddeb829b753d1ba46c9149ee45f79794903f26e16fa

.NET Loader

19d357351a29f6530624556bd31c475d56ea9ad76f31eb28f7d251fa3c751d62

.NET Loader

da0b73d2f42f0232762f7c8d3eaa6863969f1982b798cd9fc19431c901ae4635

.NET Loader

2843582fe32e015479717da8bf27f0919b246a39495c6d6e00ac7eca8b1d789c

.NET Loader

b1489b216fb25bcf57329546c160800645c0a6620add3c8323e2b589d7150e9e

.NET Loader

a72018420f8aab9cb431d120bfa06acd09d777a88aa186ec495dffdc22395f0e

.NET Loader

2a0d1c7354b43acd6fd0303beb6277db92691f03e37baea0c39249ae0d8b5301

.NET Loader

906d49817970955847f64d2f868e418579549e9cfa91c575f38342a1bd66ad4b

.NET Loader

e01b10fc4131b8eec32148e559b95fd82da817166b831ae32a0fa89be883e8e9

.NET Loader

08f0954be207eaa1a85cdc9eed4ad2737613bbbf240a7c30b658b583c3ddef0c

.NET Loader

3499e5bd9daad587e05337bae5e953f279ebee20d9cf6d2a1707be28ce6295bf

.NET Loader

1230b1a189b17a4da79bc10bde0fbb439c37997c8f927d4a80c61b006d8b3267

.NET Loader

17213aa5a43fcf6a6baf5e784f33411cd0fa3a2fb00418486085c5a24695af7c

.NET Loader

c86f9d739ea3c6b57fd070892be9d1d4b3c50fca8a8c3e05cf84875378fcc649

.NET Loader

b61c027adcef5d2108dc13735cef5d4bce295f13de6032f3fee5129be74816b6

.NET Loader

968f90a4567cdf67885c116379c792b4eeda1f7f8bd2cf34daf8c58b17f2ec0f

.NET Loader

a65091e8912e4b65458041f866d37410b46e7a9432a57e0d7dc01ca4a21f3940

.NET Loader

bf3e96bb6273890f48b566e9d484e0e747e8f21e3dbd6606a39edf98faedc7b1

.NET Loader

6d3a50a354bcf2df226ce1065563755b3ab16d2e440900e3b80a9f0571c0f73a

.NET Loader

da61eb41bffd50a07793ccc8b2ead76f5c49313445f07aa685c28523bbf39a00

.NET Loader

caa7ef0b9a6ea51752813b7107348f46a3475acf9b3f1242e675f6a1296ccb2c

.NET Loader

eaf26e1d12e0ae355441499bdf9d13c582540f3876bddfdef95c676f185609b8

.NET Loader

cee2730a6e4100e3b865cb6fee41f77ec5a8bfce186b1e121ebb4236cd3dff88

.NET Loader

e1246fbac51f8369292aec96270dd4b2a62fd148d9b6f2ca8ee208631237a44f

.NET Loader

f292911c11a15001ca66e90df341f8763d4d149482f06f85cc2873651d205a6b

.NET Loader

8d4d672eeba756c7ace20aea90219c8f7409b23ecc9c2eb47a31b1cd2d3577a6

.NET Loader

7474cd11f62a53f0f3035fb62753561067cd771ec3e5d73823e74d4f4b8d31cb

.NET Loader

74f637b21f7c68e6d56f0d64378336b28f500d82d4eb876d5b1cbbfe3a952ac2

.NET Loader

bbd94254223f4ec3edbcc44c5d6d5ae5029c8d9c4512f02d3c61d2a28c3c5416

.NET Loader

31e060d82ef68613d26b5e47c3934d482fc2975dad71fa6e677900cc8a938116

.NET Loader

55455d2488d127fc7bb6976821c36ad5661a5e57e2d57dcc7ae7cb12ba7282d3

.NET Loader

301f27dc88655927ce45b0c1138b4931b0d3aa7dcfdd424315d5c7339c540e52

.NET Loader

5c1306596589d0b0c0f0d04be6687e5c2dbe92fbba493760b0ded7a47942fbb1

.NET Loader

bc81f08ad4c543a35f899da8d45787751b50d221d67dae083d62097631ace059

.NET Loader

582aa139fb1c315f68106cc2e50c10835874e8bc77aeb7302453f9aa3c25d920

.NET Loader

7bced78c519befdb1b7ef3b973250f4ee2d3c2404309cea372df16b8ff5b1d84

.NET Loader

8185e9784adfd6c2f1a286a724e7e374008667ae1f50cfa1a58451a5c33af536

.NET Loader

05d0dd9916646c6144506bb26cab500d807ab015609bd19634e890fbeb63e48f

.NET Loader

f8262a0c746bbfbb3e7cb17398953cd8391cdf416b759d4be1f1fc11611f4eb3

.NET Loader

14f15b1d7951f078bbf412bb2ef774c812efff70280b86b8176994374c0e766d

.NET Loader

ec1ea0b01ad6cd431c8441dc83537c3d9ef00994f9dd76a3041ff50c2526ce38

.NET Loader

53e196f293b4f99face97449d18106f7dc9df5b9170354d1c1da27f9ec71849c

.NET Loader

a20672a07f3cf2e67682486c1a2b6684e9a50ca129260a74353d1664be25aa92

.NET Loader

cdf35bb3a256d4bd4e09a2a9b19e4682a3952233c720e37d9ae88e4050b8473a

.NET Loader

b9ea5ecbda6abd328bd7370d250fa9ab5a38a104955ac383cecee8ce581b9d80

.NET Loader

933858679466d57b4ea47003f08d864b1a417d7be75008e42ecd62f05dde7964

.NET Loader

3ad89c70d77b9fec35bbbac25d3dabca9d6c1fc055b8570a2d34b3af5ac58aef

.NET Loader

55f1b8346fc2e94791431a237d8a38fb6bb2014380b1905955d12bccb8c24e79

.NET Loader

c1e18c6a611ccf23971a43fcdc0186d6a3f2bb0ee792140c35fc1e1a34582551

.NET Loader

225d10a0b3880eebafb327769e39a2484161e21e5d07ddef8fe16b65d2a90113

.NET Loader

dcea0d579d3d6ab2d29a3665e3e0c3849ccd42abe390b80bf362c79088a1ebbe

.NET Loader

4865a260754a6a8740a85c40ef4185420334f9b21cc0d865295fdae4bb1e94a4

.NET Loader

ae192d14a916ecdb55803830eace5ef820b1b520a751b6b689fa9591f6f292bc

.NET Loader

bdc0a1ad95b1a62ae1e702681949fea485f42d5884aca78df02a64869688192e

.NET Loader

c625ac5c134a74d84f8ce91504e41af15972ec71c064f7a5d31c588a8ff2c332

.NET Loader

ea357305411b9c6b27657782e2bb14bc0c18149a7ad4093b30c12b041f785933

.NET Loader

f76f5c12b81aa6d7fac0eeb4b775004c525ae50ebb049b6f4177417104eb8ef4

.NET Loader

2be8c01e5ffcabb566212268a63ef3c42db5c57d3e879abe99b06b48ac9bacda

.NET Loader

46f5ffcc04ea1eaf09cfce1a9329624c85a5c5435d91444a55ce02fceebfd2f7

.NET Loader

ed7da8aef7dbe652b429d64a918a943c6586e1d4cec353c84663f8b451c09874

.NET Loader

3c1be333e85f0243cdbcecfd727e86d582569809e2c45fefb64261b473ca1734

.NET Loader

f0dfa2297df28f64dc38da3a54bbef5c499691a8cf05de0f08e20f4f7077e67c

.NET Loader

40fc64907dcd0063e5f2b604fe78d0484d821cb9cda199d3cdca5e0219b43587

.NET Loader

fc39aa0d2486c746f9b8d4d459a65517a21f961fb24ec25c4470f0b86e8c7cae

.NET Loader

4bfa7c32d9eb8f7468a1919dbf9698e971052c091de4b66b125ba18b04bbe607

.NET Loader

d8e22f8b5964428b4a29e5aad9ec9186bd96e7d29bc56ede8821a24294629931

.NET Loader

bc3fcaa746c261af6b72ee0720fa739d7f79df71709b7067f016e30578f94c22

.NET Loader

263bc3729f5785acb6647af950f3fe0a0cbbe05d2fcc9639276852ba39ecbaa2

.NET Loader

f31a6b19572b668dbb473a0e43e53b9c1e5020b057421de8fc019c150ed3fb38

.NET Loader

ee32169bef700d3dcceb86a101e188e5c0146a1104ee8809d1e031d93cdee36c

.NET Loader

9946fb2e81d07ad7780a20cf06b59bd27177c8bd6ed543e13089c47957adab1a

.NET Loader

c5a4bf56670d51fed1e88050eddb003f39af0e22fbb01163679fef758b000392

.NET Loader

4524d47ca7b7d71764f12807fd3722e4b890388eb2f5bf975d58c6afd0221fb3

MSI Installer

8e2fc9de5da07a6cf6cfeb3349185e282cec5eed944cb66873136bd697389516

MSI Installer

2f9f289224482204b0f3bb4f0af8fe99f235daea99fe435cbc53dcbb9bc22bb0

MSI Installer

434ec6d3575f72e680a8bf9211b3a853d80457644ff01d7acc41657b9bfdca24

MSI Installer

eee76b24be7121434ec7ad1ca39792cbfec594916f8e143fad18698955ba0870

MSI Installer

81c5b7940a69854c72cb99d4af6a1092f0adc9182e9e8fd729b1857126d096ba

MSI Installer

70d6cf1d106783bced15e4bd31b91a6be8ae9d9746955da60cfdf1cb1f9dbf7d

MSI Installer

77607c0a0a1dcaa4f1ba27e17d5eba5d79fbbf64e1e71b8f4e03a6f724653355

MSI Installer

80bc99cd883421432e034d0c714d892ecaac6385fd86bd74e9291a736e118f28

MSI Installer

d48d277f7891ed1e2797d551c1470eae87af7b82746fa8dc2083440c42bcc112

MSI Installer

71a106f9fbce3e5b48baaacc250beb292cbc0c63190c3ae390f69c17e0be5465

MSI Installer

c9c18f3eb35b9359c52737e12c35701401867b91aad0ca17822e8a82fce46001

MSI Installer

9cbf221cfb8fe33c0a3e352742c8b9b931fef5b5c6a07e33cdeebe97b6113622

MSI Installer

335b69874aff8bc4c45404917fb34523c7205854a979a5293b40d0b2aa52ed89

MSI Installer

6eed0ff8083a07cf43850e74a9667267613783721834c7593338f888b419ca47

MSI Installer

5925f48a5b1abc6d25858bf7d3cfc4ec98991ecc5fddebe79b80c29789a2f5fe

MSI Installer

a6fbcc0b368109a964e55869969d33db7287726b2e0dbf46bdcaa91f6adc1edb

MSI Installer

98f7bda5f3c4d7f845b6812d774765907b7b943b7d97386c1a8135c2051b2225

MSI Installer

8a444480e1a313ce35b3535c8df8f5511817e57897e7b5de0e36b5973c21fb82

MSI Installer

a8f7253907eb8ab7021c58cc8a03c32f33d4a3a86494b9198b68cec3219a968c

MSI Installer

aeda5536fe7239843130547c677d2094883fd45aafeffb91c196c9b12c36232b

MSI Installer

750baeecb35d18010fbdfd0c90ecd4be3083a51b39837f596f0887bfd294e170

MSI Installer

28107b1104bb5fd61d49b64460a0f1f75c664930b251849361783cf60d518c7d

MSI Installer

56f7283604960cca96200e5da47dd6a4408086a77973f96ca230b2a583545cd8

MSI Installer

490bd1a59cb2d43828c301d943b7c6a848f2b70d901d69234ccc7c88db8f8ca7

MSI Installer

44339460d0dfe01d68c10c9a084f1d4530b0c135d6be55bcbc8666822b454f3f

MSI Installer

39be7067ccedfac84b9ff7d15bc6297d8d8637357aaa4b68286ed8af2e65a2e7

MSI Installer

4edc594040c0a3b0dfa5b343d1f000271b0e6d3bd3f29988c360735c6ffd9fc0

MSI Installer

9103f43dcf834b696ff3f6f4ea58dc0bdf14e1483f91420313157bb1a41ba76b

MSI Installer

13d88bcf312896fae6d03d59c564bc9521e0916096098cfe41508395955aab0e

AllaKore

168ac972b7f0610f978e50b426e39938f889422b1bcfaf9cddf518e3e1ed9aa9

AllaKore

2ff3cdb886b1caf3eaad9a2467bfa16b9269b88695b76bb6a0da481458e30aa3

AllaKore

305cde85573131949fab5a3973525a886962c4f8c02558d3a215689a49f53406

AllaKore

33578228c11ad0b3d86a198a32b602aa93a91d2feeae2fb2e83f8c6595c8acd9

AllaKore

422c9471c29fe17457e142df1a567c273212019eb20b0b4783891c529c1248a8

AllaKore

46c14c2f0d04710f53db16473877d3315c13e1a33a3236846a87e8f91808c8eb

AllaKore

49a04f31e49cee3ae65e9d776bc0f8aedf40c52fafcd002ccf7de4044abec2dd

AllaKore

52134d02cd77f8a65fd5b15c7c57ff2909ac39f0b5779592c533a18bf6b23879

AllaKore

5961b42f8efad58c437bdad862a0337c6bcd57f7cbf35184f2de60f4609fd477

AllaKore

673d4fe6f9e46fae37649c525f1d0d89cfd3b8310210dff4ddc7349418d9e80f

AllaKore

6d516a96d6aa39dd9fc2d745ea39658c52ab56d62ef7a56276e2e050d916e19f

AllaKore

89206ca169747d4aa70d49350415f21df7f1a00a3bf8d0c253b6beda2eb919d9

AllaKore

8fce1d24cf952528169f473b9462724482511615ed31165710e5e3a74cefdd02

AllaKore

911e45d053bdf3a41e812203ae29db739cf3505a4e37209936c1cc83ee42e8e9

AllaKore

9221470c77b46bcd457951ae3a3d31d60ad4602ea9d152d51d1e4f9a5b3bca3a

AllaKore

a5af60355c423fa4cc9695b86a5697f847259eaee724065162d303cc4523d447

AllaKore

b858d451804a641fc51dd6d3c50668d6a08dc9033252aee52f582264a970cff8

AllaKore

bc423bd9acd7c5a1f2849091f21de5429f2fc79e2655f92866e1c8b7b1f96f7e

AllaKore

c778739c5214aa580cba05f01afe2d9fc8f12d3fa7ad864a279bcb4ad6d266b4

AllaKore

cde045a0269a5a05928128c6ca7c030947f96034c9204e2b747a0d626e3f22f3

AllaKore

e2d82ab6cc71a1d8d2a2ba2312b0d8a4a3d23e3902d5b180383d9e406097a9ff

AllaKore

ee772e1260c6adc532bed57cacdbb6e0b8db311996074ad42eaf1aefd243187a

AllaKore

eecc201c80809b636d945aa537b954dd2e39382c36067a040a672167a1257a09

AllaKore

fba031543c3ab694a09e603a7df6417f93742f0b87f9fedaf9ab84d11340ccb5

AllaKore

fd8c49d00effa8bc730e06ae217655a430ba03122ca974945d41642299853dfa

AllaKore


Network IoCs

IoC

Type

flapawer[.]com

C2

chaucheneguer[.]com

C2

hhplaytom[.]com

C2

zulabra[.]com

C2

uperrunplay[.]com

C2

uplayground[.]online

C2

192.119.99[.]234

C2

192.119.99[.]235

C2

192.119.99[.]236

C2

192.119.99[.]237

C2

192.119.99[.]238

C2

23.236.143[.]214

C2

23.254.138[.]211

C2

23.254.202[.]85

C2

23.254.136[.]60

Delivery

trapajina[.]com

Delivery

narujiapo[.]com

Delivery

zaguamo[.]com

Delivery

debirpa[.]com

Delivery

isepome[.]com

Delivery

iomsape[.]com

Delivery

pemnias[.]com

Delivery

bstelam[.]com

Delivery

rudiopw[.]com

Delivery

manguniop[.]com

Delivery

ppmunchi[.]com

Delivery

pelicanomwp[.]com

Delivery

andripawl[.]com

Delivery

dulcebuelos[.]com

Delivery


APPENDIX 2 – Applied Countermeasures

Yara Rules

rule MX_fin_downloader_kaje_decode_func {

meta:

author = "BlackBerry Threat Research & Intelligence Team"
description = "Locates .NET function that deobfuscates kaje filename"
date = "2023-12-19"

strings:

$s1 = {1A8D??00000125161F6A0658D29C25171F620659D29C25181F6B0659D29C25191F660659D29C0B}

condition:

all of them

}

rule MX_fin_downloader_elearnscty_string {

meta:

author = "BlackBerry Threat Research & Intelligence Team"

description = "Locates unique strings to the MX fin .NET downloaders."

date = "2023-12-19"

strings:

//ElearnScty Testing course

$s1 = {52 00 57 00 78 00 6c 00 59 00 58 00 4a 00 75 00 55 00 32 00 4e 00 30 00 65 00 53 00 42 00 55 00 5a 00 58 00 4e 00 30 00 61 00 57 00 35 00 6e 00 49 00 47 00 4e 00 76 00 64 00 58 00 4a 00 7a 00 5a 00 51 00 3d 00 3d 00}

condition:

all of them

}

rule MX_fin_custom_allakore_rat {

meta:

author = "BlackBerry Threat Research & Intelligence Team"

description = "Find MX fin custom function names and prefixes."

date = "2023-12-19"

strings:

$main = "<|MAINSOCKET|>"

$cnc1 = "<|MANDAFIRMA|>"

$cnc2 = "<|FIRMASANTA|>"

$cnc3 = "<|MENSAJE" wide

$cnc4 = "<|DESTRABA" wide

$cnc5 = "<|TOKEN" wide

$cnc6 = "<|TRABAR" wide

$cnc7 = "<|USU" wide

$cnc8 = "<|ACTUALIZA|>" wide

$cnc9 = "<|BANA" wide

$cnc10 = "<|CLAVE" wide

condition:

uint16(0) == 0x5A4D and

$main and

2 of ($cnc*) and

filesize > 5MB and filesize < 12MB

}


APPENDIX 3 – Detailed MITRE ATT&CK® Mapping

Tactic

Technique

Sub-Technique Name

Initial Access

T1189 - Drive-by Compromise

 

Execution

T1204 - User Execution

T1204.004 - Malicious File

Execution

T1059 - Command and Scripting Interpreter

T1059.001 - PowerShell

Defense Evasion

T1218 - System Binary Proxy Execution

T1218.007 - Msiexec

Defense Evasion

T1480 - Execution Guardrails

 

Defense Evasion

T1070 - Indicator Removal

T1070.004 - File Deletion

Defense Evasion

 

T1140 - Deobfuscate/Decode Files or Information

 

Command and Control

T1105 - Ingress Tool Transfer

 

Command and Control

T10171 - Application Layer Protocol

T10171.001 - Web Protocols

Command and Control

T1219 - Remote Access Software

 

Credential Access, Collection

T1056 - Input Capture

T1056.001 - Keylogging

Collection

T1113 - Screen Capture

 

Exfiltration

T1041 - Exfiltration Over C2 Channels

 

 

The BlackBerry Research and Intelligence Team

About The BlackBerry Research and Intelligence Team

The BlackBerry Research and Intelligence team is a highly experienced threat research group specializing in a wide range of cybersecurity disciplines, conducting continuous threat hunting to provide comprehensive insights into emerging threats. We analyze and address various attack vectors, leveraging our deep expertise in the cyberthreat landscape to develop proactive strategies that safeguard against adversaries.

Whether it's identifying new vulnerabilities or staying ahead of sophisticated attack tactics, we are dedicated to securing your digital assets with cutting-edge research and innovative solutions.