The activity was attributed by the BlackBerry Research and Intelligence Team to an unidentified financially motivated threat actor operating in Latin America. The campaign has been active since 2021, at least.
"Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process," the Canadian company said in an analysis published earlier this week. "The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud."
The attacks are specifically intended to target big businesses with annual sales of more than $100 million. Retail, agriculture, the public sector, manufacturing, transportation, commercial services, capital goods, and banking are among the industries targeted.
The attack begins with a ZIP file that is either distributed through phishing emails or a drive-by compromise. This file contains an MSI installer file that launches a.NET downloader, which verifies the victim's geolocation in Mexico and retrieves the modified AllaKore RAT, a Delphi-based RAT that was first discovered in 2015.
"AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim's machine," BlackBerry said.
An additional feature added to the malware comprises support for commands from the threat actors regarding banking frauds, targeting banks and crypto trading platforms, launching a reverse shell, extracting clipboard content, and fetching and executing additional payloads.
The campaign's use of Mexico Starlink IPs and the insertion of Spanish-language instructions to the modified RAT payload provide the threat actor with ties to Latin America. Moreover, the lures used are only effective for businesses big enough to submit reports directly to the Department of the Mexican Social Security Institute (IMSS).
"This threat actor has been persistently targeting Mexican entities for the purposes of financial gain[…]This activity has continued for over two years, and shows no signs of stopping," the company stated.
This research comes with a report by IOActive, revealing it has discovered three vulnerabilities (CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177) in the Lamassu Douro bitcoin ATMs that might provide physical access to an attacker the ability to take complete control of the machines and steal user data.
Identity theft is a serious concern at a time of rapid technology development and digital commerce. It becomes essential to strengthen our defenses against potential cyber threats as we negotiate the complexities of internet platforms and financial services. Identity protection must be prioritized immediately, as shown by several recent instances.
A thorough analysis by CNET states that as more people become aware of the significance of protecting their personal information online, there is a growing demand for identity theft protection services. The paper emphasizes that because hackers have become more skilled, protecting sensitive data needs to be done proactively.
A major data breach at mortgage giant Mr. Cooper compromised the personal data of an astounding 14 million consumers, according to a surprising disclosure. Sensitive data susceptibility in the digital age is a worry raised by the occurrence, which has shocked the cybersecurity world.
Strong cybersecurity procedures in financial institutions are vital, as demonstrated by the breach, confirmed on December 18, 2023, and have significant consequences for the impacted persons. The hackers gained access to Mr. Cooper's networks and took off with a wealth of private information, including social security numbers, names, addresses, and other private information.
Customers of prominent cryptocurrency companies FTX, BlockFi, and Genesis had their financial and personal information exposed in a recent cybersecurity breach. Concerns have been expressed about the security of private information in the cryptocurrency sector as a result of the hack.
The breach, according to claims from sources, was carried out by taking advantage of flaws in the systems of Kroll, a reputable data management business. The personal information of innumerable users is now in danger due to Kroll's involvement in processing the client data of these cryptocurrency companies.
FTX, BlockFi, and Genesis being prominent names in the cryptocurrency sector, have a significant user base that relies on their platforms for trading, lending, and other financial services. The compromised data includes user names, email addresses, phone numbers, transaction histories, and potentially even account passwords. This sensitive information falling into the wrong hands could lead to identity theft, phishing attacks, and financial fraud.
The incident raises questions about the industry's overall data security practices. While the cryptocurrency market has been praised for its decentralized nature and robust encryption, this breach underscores the persistent vulnerabilities that exist in digital systems. Companies dealing with such high-value assets and sensitive data must prioritize cybersecurity measures to prevent such incidents.
Operation Jackal, conducted between May 15 and 29, apparently mobilized police forces, financial crime units and cybercrime agencies across 21 countries in order to launch a targeted strike on Black Axe and related West African organized criminal gangs.
As of now, more than 200 illicit bank accounts that were linked to online financial crime have been blocked, with several associated suspects arrested whose networks in cybercrime pose a severe threat to international security.
“Organized crime is mostly driven by financial gain and INTERPOL is committed to working with our member countries to deprive these groups of their ill-gotten assets. This successful operation involving so many countries clearly shows what can be achieved through international cooperation, and will serve as a blueprint for concerted police action against financial crime in the future,” says Isaac Kehinde Oginni, Director of INTERPOL’s Financial Crime and Anti-Corruption Centre (IFCACC). “It also sends a strong message to West African crime networks that no matter where they hide in cyberspace, INTERPOL will pursue them relentlessly. The illegal activities of Black Axe and similar crimes syndicates will remain a priority for INTERPOL.”
In Portugal alone, four such investigations led to the accumulated seizure and recovery of around 1.4 EUR million.
A total of 34 suspects have been arrested in the Irish phase of the operation. Amongst these arrests, 12 were detained for investigative purposes and 22 on suspicion of money laundering and gangland-style offences.
According to Deputy Head of the National Central Bureau of Dublin, Tony Kelly, ‘It became apparent early in the investigation that international cooperation and the use of INTERPOL’s analytical and coordination capabilities was essential to the investigation, and remains a pivotal element to the success to date and the ongoing investigation into this group.”
More such investigations have been witnessed across the world as intelligence agencies are putting efforts into investigating the issue.
Black Axe and other West African organized cybercrime syndicates are popular malicious gangs known for cyber-enabled criminal offences like financial fraud, mostly done by compromising company’s email systems, romance scams, inheritance scams, credit card fraud, tax fraud, advance payment scams and money laundering.