A financially motivated threat group dubbed Greedy Sponge has been systematically targeting Mexican financial institutions and organizations since 2021 with a heavily modified version of the AllaKore remote access trojan (RAT).<\/p>\n
The campaign represents a sophisticated evolution of cybercriminal tactics, combining traditional social engineering with advanced technical capabilities designed specifically for financial fraud operations.<\/p>\n
The threat actors deploy their malware through spear-phishing campaigns<\/a> and drive-by downloads, utilizing trojanized Microsoft installer (MSI) files that masquerade as legitimate software updates.<\/p>\n These malicious packages contain a .NET downloader component that retrieves the customized AllaKore payload from command-and-control servers hosted on Hostwinds infrastructure in Dallas, Texas.<\/p>\n The attackers have demonstrated particular cunning in their geographic targeting, implementing server-side geofencing mechanisms that restrict payload delivery exclusively to systems located within Mexico.<\/p>\n Arctic Wolf Labs researchers identified<\/a> significant enhancements to the threat group\u2019s operational capabilities, noting the integration of SystemBC as a secondary infection vector.<\/p>\n This multi-platform malware proxy tool enables the attackers to establish persistent backdoor access and deploy additional malicious payloads as needed.<\/p>\n The researchers observed that recent campaigns have moved away from client-side geographic filtering to server-side restrictions, making detection and analysis considerably more challenging for security teams.<\/p>\n The modified AllaKore variant employs sophisticated persistence techniques that demonstrate the group\u2019s technical maturity.<\/p>\n Upon successful infection, the malware<\/a> establishes persistence by placing an updated version of itself in the system\u2019s Startup folder, retrieved from the URI endpoint The persistence mechanism is coupled with a comprehensive cleanup operation using PowerShell scripts<\/a> that eliminate traces of the initial infection vector from the The malware\u2019s evasion capabilities include a User Account Control (UAC) bypass technique utilizing Microsoft\u2019s Connection Manager Profile Installer (CMSTP.exe).<\/p>\n This legitimate Windows binary is exploited to proxy execution of malicious code while appearing as a routine system update process labeled \u201cActualizando\u201d (Spanish for \u201cupdating\u201d).<\/p>\n The .NET downloader component uses a distinctive user-agent string Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams ->\u00a0Try ANY.RUN Now<\/a><\/strong><\/p>\n The post Greedy Sponge Hackers Attacking Financial Institutions With Modified Version of AllaKore RAT<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhwvXt0BNg9yzTuciqskiofOsjIrV90TBYbY-Jy-Q2nfwDwzupxjmALYHeA6lSW0aPZj2-70L_VnZD8bOQBieFVFWubRXEH83VG5eq4t0hYAFTwXlK5TmPNKNStHeaSF4acdvu3-x7FEnhW-lE5FlYYNvUPKb4xPLH-F8wSEMYw3YVcr_FYQZ7jeObf5ZY\/s16000\/Previous%2520and%2520current%2520execution%2520chains%2520%28Source%2520-%2520Arctic%2520Wolf%29.webp?ssl=1\")
Advanced Persistence and Evasion Mechanisms<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgRT4nM8xSGFIO2lNVBjgmsvCYIXaiEk4-Kb_WZlV0ucF75rgJV7BnOUEjvfrDaL_Arf53uq-Gx96wiqEi_9tyzaBNfxL_CkLNfmzVyoCjpJEIwnN41fFZoGNTxGu-l4bZg7PuuV6elHk3JwuJj3_3jVmjBEu4KYQ0qdMDJYq54If0l2cjh7GAHz31O_ko\/s16000\/Disassembly%2520of%2520AllaKore%25E2%2580%2599s%2520update%2520and%2520persistence%2520mechanism%2520%28Source%2520-%2520Arctic%2520Wolf%29.webp?ssl=1\")
\/z1.txt<\/code>.<\/p>\n%APPDATA%<\/code> directory.<\/p>\nMozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;)<\/code> for command-and-control communications, employing base64 encoding to obfuscate<\/a> network traffic patterns.<\/p>\n