Summary
A financially motivated Threat actor is targeting Mexican banks and cryptocurrency trading entities with custom packaged installers delivering a modified version of AllaKore RAT – an open-source remote access tool.
Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process. The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.
The targeting we observed was indifferent to industry; the attackers appear to be most interested in large companies, many with gross revenues over $100M USD. We know this because the lures sent out by the threat actors only work for companies that are large enough to be reporting directly to the Mexican government’s IMSS department.
Based on the large number of Mexico Starlink IPs used in the campaign and the long timeframe of these connections, plus the addition of Spanish-language instructions to the modified RAT payload, we believe that the threat actor is based in Latin America.
Brief MITRE ATT&CK® Information
Tactic
Technique
Initial Access
T1189
Execution
T1204.001, T1059.001
Defense Evasion
T1218.007, T1480, T1070.004, T1140
Command and Control
T1105, T1071.001, T1219
Credential Access
T1056.001
Collection
T1056.001, T1113
Exfiltration
T1041
Weaponization and Technical Overview
Weapons
Malicious MSI installer, .NET downloader, customized AllaKore RAT
Attack Vector
Spear-phishing; Drive-by
Network Infrastructure
Statically hosted C2
Targets
Retail, Agriculture, Public Sector, Manufacturing, Transportation, Commercial Services, Capital Goods, and Banking
Technical Analysis
Context
A long running campaign targeting Mexican entities with large revenues ($1 million USD and above) was discovered by BlackBerry cyber threat intelligence (CTI) analysts. This campaign has been using consistently detectable C2 infrastructure since 2021 and has yet to be disrupted.
Attack Vector
Samples from the middle of 2022 and before, such as 942865d0c76b71a075b21525bd32a1ceca830071e5c61123664bd332c7a8de2a, were packaged as RAR files containing the AllaKore sample itself. RAR is a proprietary archive file format that supports data compression, error correction and file spanning.
Newer samples have a more complicated installation structure that delivers the downloader, compressed in an MSI file, which is a Microsoft software installer. The downloader first verifies that the target is located in Mexico, verified via network IP location services, before downloading the customized AllaKore RAT.
Installer files are structured like malspam attachments and have the following execution path:
Figure 1: RAT delivery process
What is AllaKore RAT?
AllaKore RAT is a simple, open-source remote access tool written in Delphi. It was first observed in 2015, and was most recently used by the threat group known as SideCopy in May 2023 to infiltrate organizations within a specific geographic area.
Early 2022 Sample
Hashes (md5, sha-256)
21b7319ae748c43e413993ad57e8d08c
942865d0c76b71a075b21525bd32a1ceca830071e5c61123664bd332c7a8de2a
File Name
aluminio.rar
File Size
3840823
"Aluminio.rar" decompresses “aluminio.exe”, which is the AllaKore RAT payload. Worthy of note is the fact that new commands in the Spanish language have been added to the original RAT payload.
Figure 2: Custom function names
This earlier sample reaches out to uplayground[.]online, a domain which was in use from late 2021 until mid-2022. The endpoint of “/registrauser.php” was originally used as the AllaKore server. The endpoint "/license.txt" was used as an update location, always pointing to the latest version of the threat actor’s RAT. A breakdown of the custom functionality is given a little further down in this report.
Late 2022 Sample
Hashes (md5, sha-256)
e5447d258c5167db494e6f2a297a9be8
bf26025974c4cbbea1f6150a889ac60f66cfd7d758ce3761604694b0ceaa338d
File Name
PluginIMSSSIPARE (1).zip
File Size
14220446
The file obfuscation was changed in late 2022. This file has the following structure:
PLUGINIMSSSIPARE (1).zip
_
INSTRUCCIONES.txt
InstalarPluginSIPARE.zip
InstalarPluginSIPARE.msi
The instructions read:
Figure 3: INSTRUCCIONES.txt
Translated, this reads:
INSTRUCTIONS
1.- EXTRACT THE CONTENT OF THE INSTALARPLUGINSIPARE.ZIP FILE
2.- RUN THE FILE CALLED "INSTALARPLUGIN"
3.- WHEN YOU FINISH THE INSTALLATION YOU WILL BE ABLE TO LOG IN NORMALLY
“InstalarPluginSIPARE.msi” is built with Advanced Installer 18.3. This file deploys a .NET downloader and a couple of PowerShell scripts for cleanup. “ADV.exe” is the .NET downloader, while the PowerShell command employed is:
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command
"C:\Users\admin\AppData\Local\Temp\AI_4ECB.ps1 -paths 'C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\file_deleter.ps1','C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\aipackagechainer.exe','C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files','C:\Users\admin\AppData\Roaming\ADV','C:\Users\admin\AppData\Roaming\ADV' -retry_count 10"
Both “file_deleter.ps1” and “AI_4ECB.ps1” are the same file, with sha256 80C274014E17C49F84E6C9402B6AA7D09C3282ADC426DA11A70A5B9056D6E71D. They are used to clear out the ADV directory once the final payload is delivered.
The “aipackagechainer.ini” file shows the installation and execution parameters:
[GeneralOptions]
Options=bh
DownloadFolder=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\
ExtractionFolder=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\
[PREREQUISITES]
App1=4.4.7
[App1]
SetupFile=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\ADVin\ADV.exe
Options=ip
[PREREQ_CHAINER]
CleanupFiles=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\ADVin\ADV.exe
CleanupFolders=C:\Users\admin\AppData\Roaming
CleanupScript=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\file_deleter.ps1
This shows the MSI installation path and execution chain. “ADV.exe” is the .NET downloader that will be run first, followed by the “file_deleter.ps1” script, which removes the installation files.
Hashes (md5, sha-256)
2c84d115a74d2e9d00a14f19eb7f8129
2843582FE32E015479717DA8BF27F0919B246A39495C6D6E00AC7ECA8B1D789C
File Name
ADV.exe, App.exe
File Size
47104
Created
2039-08-06 15:13:14 UTC
“ADV.exe” checks ipinfo[.]io for a geolocation in Mexico with the obfuscated function below. If MX is not in the response string then the downloader exits.
Figure 4: Function checking for Mexican geolocation
The rest of the downloader’s execution deobfuscates strings and then downloads content from hxxps://trapajina[.]com/516. The file is saved as “kaje.zip”. “Kaje.zip” is decompressed into the final payload, “chancla.exe”.
All payloads utilize the user_agent “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;)”.
“Chancla.exe” can also be found at hxxps://dulcebuelos[.]com/perro516[.]exe.
AllaKore RAT
AllaKore RAT, although somewhat basic, has the potent capability to keylog, screencapture, upload/download files, and even take remote control of victim’s machine.
Hashes (md5, sha-256)
aa11bedc627f4ba588d444b977880ade
6d516a96d6aa39dd9fc2d745ea39658c52ab56d62ef7a56276e2e050d916e19f
File Name
chancla.exe
File Size
7696896
Created
2023-09-15 07:26:42 UTC
Copyright
CreatiUPRPS Win Service
Product
CreatiUPRPS Win Service
Description
CreatiUPRPS Win Service
Original Name
CreatiUPRPS Win Service
Internal Name
CreatiUPRPS Win Service
File Version
3.4.0.0
Comments
CreatiUPRPS Win Service
“Chancla.exe” is the threat group’s modified version of AllaKore, which contains the following functionalities besides those originally found in the open-source AllaKore RAT:
Additional commands related to banking fraud, targeting Mexican banks and crypto trading platforms.
Reverse shell through command .
Clipboard function through commands , which only executes Ctrl+C, and “grab text”, which copies content by executing the shortcut Ctrl+C. It can then paste copied content via the shortcut Ctrl+V.
Downloads and executes files, providing an easy way for the RAT to become a loader and install additional components not hard-coded in the malicious binary.
Figure 5: PEGATEXTO function
Figure 6: Descarun function
This sample utilizes uperrunplay[.]com as the C2 with the same URL as previous campaigns, using as endpoints “license.txt”, “license2.txt”, and “registrauser.php”. At the time of writing they pointed to the following:
license.txt: version_400_https://domain[.]com/perro516[.]exe is a placeholder for AllaKore RAT itself; when pushing for new versions, the threat actors changed the domain to dulcebuelos[.]com.
registrauser[.]php is the C2, which is used for communication with the RAT.
license2.txt: http://23.254.202[.]85/Chrome32[.]exe
Chrome32.exe (SHA256: 0b8b88ff7cec0fb80f64c71531ccc65f2438374dda3aa703a1919ae878f9eb67) is a Chrome extension that blocks access to URLs starting with enlaceapp[.]santader[.]com[.]mx/js/vsf_generales/.
Figure 7: Chrome extension blocking rules
Network Infrastructure
The network infrastructure is not obfuscated in any way other than regular domain updates. The majority of servers used in this campaign are purchased through Hostwinds, while the domains are registered through eNom LLC.
Domain
Type
First Seen
Last Seen
flapawer[.]com
C2
2023-12-13
Active
chaucheneguer[.]com
C2
2023-10-27
Active
hhplaytom[.]com
C2
2023-10-05
Active
zulabra[.]com
C2
2023-04-29
Active
uperrunplay[.]com
C2
2022-11-08
Active
uplayground[.]online
C2
2021-05-12
2023-04-28
praminon[.]com/519
Delivery
2023-12-23
Active
trapajina[.]com/516
Delivery
2023-10-07
Active
zaguamo[.]com/500
Delivery
2023-05-10
Active
pemnias[.]com/433
Delivery
2023-05-10
2023-10-16
isepome[.]com/435
Delivery
2023-02-03
Active
narujiapo[.]com/435
Delivery
2023-05-30
Active
manguniop[.]com/422
Delivery
2022-06-06
2023-06-06
debirpa[.]com
Delivery
2023-05-02
Active
dulcebuelos[.]com
Delivery
2023-03-15
Active
iomsape[.]com
Delivery
2023-02-03
Active
bstelam[.[com/431
Delivery
2022-08-06
2023-08-05
rudiopw[.]com/430
Delivery
2022-06-29
2023-06-26
ppmunchi[.]com
Delivery
2022-05-18
2023-06-30
pelicanomwp[.]com/422
Delivery
2022-04-29
2023-04-29
andripawl[.]com
Delivery
2022-04-03
2023-04-19
All of the C2s utilize the same HTML and favicons, and are traceable with the following MMH hashes:
http.html_hash:1125970204
http.favicon.hash:-2055641252
IP Match MMH
192.119.99[.]234
192.119.99[.]235
192.119.99[.]236
192.119.99[.]237
192.119.99[.]238
23.236.143[.]214
23.254.138[.]211
23.254.202[.]85
Aside from a short resolution of uperrunplay[.]com to 23.236.143[.]214, these C2 are also hosted on Hostwinds servers.
All delivery servers are hosted on 23.254.136[.]60 and utilize ZeroSSL certificates. The server has been used for delivery purposes since 2022-04-03.
BlackBerry telemetry shows that remote desktop protocol (RDP) access to C2 servers is accomplished via express-vpn and mullvad-vpn, in addition to the use of Starlink IP addresses located in Mexico. The large number of Mexico Starlink IPs and long timeframe of connections indicate the geolocation of the threat actor is likely Latin America.
Targets
This threat actor is specifically targeting Mexican entities, especially large companies with gross revenues over $100M US. All lures have utilized legitimate and benign Mexican government resources, such as the IDSE software update document “guia_de_soluciones_idse.pdf” and the IMSS payment system SIPARE.
Figure 8: IDSE PDF header used as a lure
During the installation process, the .NET loader confirms the Mexican geolocation of the victim through IP location services, before proceeding to download and deploy the RAT.
Targeting is indifferent to industry, as we saw targeted entities across Retail, Agriculture, Public Sector, Manufacturing, Transportation, Commercial Services, Capital Goods, and Banking industries. The actors are most interested in large companies, many with gross revenues over $100M USD. We know this because the lures used only work for companies that are large enough to be reporting directly to the Mexican government’s IMSS department.
Function naming inside the RAT imply specific targeting of banks residing in Mexico. Prefixes to those names explicitly reference six Mexican banks and a Mexican crypto trading broker.
Attribution
The targeting of Mexican entities by this threat actor has been ongoing since at least late 2021. In December of 2021, Mandiant released an investigative report about FIN13, where they state that only two financial actors that they know of limit their targeting to one single country over a timeframe of multiple years. Only 14 of the financially motivated groups they track persist for longer than one year. These statistics point to this actor being unique in its persistence and regional targeting.
Custom functionality built into the RAT gives its operators specific fields to paste credentials and data related to their target’s banking infrastructure. This implies a segmented operation, where operators utilize the RATs to upload victim data to the C2 server in a specific format. That can then be used by the malicious individuals in charge of conducting fraudulent banking actions to take further action.
Function naming in Spanish, and Mexican Starlink IPs accessing RDP ports of the C2 indicate that this actor group is mostly likely located in Latin America.
Conclusions
This threat actor has been persistently targeting Mexican entities for the purposes of financial gain. This activity has continued for over two years, and shows no signs of stopping.
The number of sightings from within BlackBerry’s own internal telemetry, and the vast number of sample submissions to VirusTotal (the majority submitted from within Mexico itself), point to an extremely active group targeting any large Mexican company they can contact, with the hope of exfiltrating financial information.
APPENDIX 1 – Indicators of Compromise (IoCs)
File IoCs
sha256
Type
94489764825f620e777a34161d0ce506a49eec20bc27c3d63370e493a737d50e
.NET Loader
884789b63fe432938e1bb76c9976976c1905b74c2974340a60eb7ea8261d48fb
.NET Loader
b18e0c7c9569b33187e2beaf3318e99b50ed40c54e7dee8a26ce711bc782b150
.NET Loader
4085c9829e2b18fd4721688dc25c0611f260b6e4f827b667999d9603cfe5e2d7
.NET Loader
66f5b7ca8760fb017b0750441707c24eaa916d5b8aa021b3aa92082c6129ca22
.NET Loader
0a3aa8c2485a3b8525f044f33c6d268ab79e1942885792d95f6a1c0c45be6106
.NET Loader
84a468a25a8c65dac51f520732d2e9e6afa6b59e4b2f485c262a9bd305cd61c0
.NET Loader
9402128b9602fbb485be887def8cd72c3265cd09f6dbf4e0a3ad2ea42da66870
.NET Loader
e4a6be2fb70603f1545641240680b44e21b5601e8016c0d144711423eef9778e
.NET Loader
d5ac0f4efa8396ae9ba74cc3ea2a62485e4d49a930efed0d69b043162bb66cc2
.NET Loader
d63447877be48156032cc9ec9def7e25d62e7bc544bd3e19da75c0f55e09dcc0
.NET Loader
7bb22d7013dede7b866ab25cbe32246228c46bd8a951b5a72557b7280ebb066f
.NET Loader
2867d87bbc088b8cc50ff66f1d9c064cba978433cdb900649bbbb44370f8cbd1
.NET Loader
b00fee1c275d12a05ca8a06ab54ffac2e3e8da68fd2be450f34c36c8a38e4887
.NET Loader
e7e2a6fe7325ad7945a6020202ab5581e0a204f8b8ad9ffc48c18f129a6f8c46
.NET Loader
42f1d24e135b9d3e4fd38e1ec3ab20cae495ec3526ae4037d937c6344914e923
.NET Loader
88a9e666d4231a98a909ae5780778b85ffdb8a5207b8f7dfca2a0911cc0f6580
.NET Loader
872c58b72962c1f0696b26563425c6734cc2246d1ea3375f675c1bd1ca915e59
.NET Loader
49de6df83c5fe55c4e45b5744203513832f0435dbbd7913a3ce7f827afe51236
.NET Loader
0eb20898a0a3c1f4a4210a819fa0bd8f8574db3413db8b85e381ab0c1963791a
.NET Loader
d928ce7383d8582163c36773d1d97360a5ded812d11ee0faf99c7afa78251850
.NET Loader
8a1381a829776220ec4bf0a9d36cf6842a5638b0190e667ee696bab04b8e7c9f
.NET Loader
0835d21b60e3443892988d675f20393d79503ca6e37a889d9f7da19c321b3426
.NET Loader
4276b4b4504edff275a4d56b99f66b23c48b49f4081abab36bf4d8f88818e2da
.NET Loader
8cc14643ec452aa35e709ae34b874e0f070a20b174e7eeb2a046351a329cdde9
.NET Loader
0eeb357abcd3864538dc26000f3a1d706c2c330fadfb845f7fc350b382d00c4e
.NET Loader
61037a3321e143d85cdf77abf31f33ca5a701da0b84cef172bcf89457dfb4e7d
.NET Loader
0324d8ed29829e5fa7add2bab1e73f2ad0094e80867caf57d35369a5e22fe79c
.NET Loader
2444dd2bb0a0fa0631935ddeb829b753d1ba46c9149ee45f79794903f26e16fa
.NET Loader
19d357351a29f6530624556bd31c475d56ea9ad76f31eb28f7d251fa3c751d62
.NET Loader
da0b73d2f42f0232762f7c8d3eaa6863969f1982b798cd9fc19431c901ae4635
.NET Loader
2843582fe32e015479717da8bf27f0919b246a39495c6d6e00ac7eca8b1d789c
.NET Loader
b1489b216fb25bcf57329546c160800645c0a6620add3c8323e2b589d7150e9e
.NET Loader
a72018420f8aab9cb431d120bfa06acd09d777a88aa186ec495dffdc22395f0e
.NET Loader
2a0d1c7354b43acd6fd0303beb6277db92691f03e37baea0c39249ae0d8b5301
.NET Loader
906d49817970955847f64d2f868e418579549e9cfa91c575f38342a1bd66ad4b
.NET Loader
e01b10fc4131b8eec32148e559b95fd82da817166b831ae32a0fa89be883e8e9
.NET Loader
08f0954be207eaa1a85cdc9eed4ad2737613bbbf240a7c30b658b583c3ddef0c
.NET Loader
3499e5bd9daad587e05337bae5e953f279ebee20d9cf6d2a1707be28ce6295bf
.NET Loader
1230b1a189b17a4da79bc10bde0fbb439c37997c8f927d4a80c61b006d8b3267
.NET Loader
17213aa5a43fcf6a6baf5e784f33411cd0fa3a2fb00418486085c5a24695af7c
.NET Loader
c86f9d739ea3c6b57fd070892be9d1d4b3c50fca8a8c3e05cf84875378fcc649
.NET Loader
b61c027adcef5d2108dc13735cef5d4bce295f13de6032f3fee5129be74816b6
.NET Loader
968f90a4567cdf67885c116379c792b4eeda1f7f8bd2cf34daf8c58b17f2ec0f
.NET Loader
a65091e8912e4b65458041f866d37410b46e7a9432a57e0d7dc01ca4a21f3940
.NET Loader
bf3e96bb6273890f48b566e9d484e0e747e8f21e3dbd6606a39edf98faedc7b1
.NET Loader
6d3a50a354bcf2df226ce1065563755b3ab16d2e440900e3b80a9f0571c0f73a
.NET Loader
da61eb41bffd50a07793ccc8b2ead76f5c49313445f07aa685c28523bbf39a00
.NET Loader
caa7ef0b9a6ea51752813b7107348f46a3475acf9b3f1242e675f6a1296ccb2c
.NET Loader
eaf26e1d12e0ae355441499bdf9d13c582540f3876bddfdef95c676f185609b8
.NET Loader
cee2730a6e4100e3b865cb6fee41f77ec5a8bfce186b1e121ebb4236cd3dff88
.NET Loader
e1246fbac51f8369292aec96270dd4b2a62fd148d9b6f2ca8ee208631237a44f
.NET Loader
f292911c11a15001ca66e90df341f8763d4d149482f06f85cc2873651d205a6b
.NET Loader
8d4d672eeba756c7ace20aea90219c8f7409b23ecc9c2eb47a31b1cd2d3577a6
.NET Loader
7474cd11f62a53f0f3035fb62753561067cd771ec3e5d73823e74d4f4b8d31cb
.NET Loader
74f637b21f7c68e6d56f0d64378336b28f500d82d4eb876d5b1cbbfe3a952ac2
.NET Loader
bbd94254223f4ec3edbcc44c5d6d5ae5029c8d9c4512f02d3c61d2a28c3c5416
.NET Loader
31e060d82ef68613d26b5e47c3934d482fc2975dad71fa6e677900cc8a938116
.NET Loader
55455d2488d127fc7bb6976821c36ad5661a5e57e2d57dcc7ae7cb12ba7282d3
.NET Loader
301f27dc88655927ce45b0c1138b4931b0d3aa7dcfdd424315d5c7339c540e52
.NET Loader
5c1306596589d0b0c0f0d04be6687e5c2dbe92fbba493760b0ded7a47942fbb1
.NET Loader
bc81f08ad4c543a35f899da8d45787751b50d221d67dae083d62097631ace059
.NET Loader
582aa139fb1c315f68106cc2e50c10835874e8bc77aeb7302453f9aa3c25d920
.NET Loader
7bced78c519befdb1b7ef3b973250f4ee2d3c2404309cea372df16b8ff5b1d84
.NET Loader
8185e9784adfd6c2f1a286a724e7e374008667ae1f50cfa1a58451a5c33af536
.NET Loader
05d0dd9916646c6144506bb26cab500d807ab015609bd19634e890fbeb63e48f
.NET Loader
f8262a0c746bbfbb3e7cb17398953cd8391cdf416b759d4be1f1fc11611f4eb3
.NET Loader
14f15b1d7951f078bbf412bb2ef774c812efff70280b86b8176994374c0e766d
.NET Loader
ec1ea0b01ad6cd431c8441dc83537c3d9ef00994f9dd76a3041ff50c2526ce38
.NET Loader
53e196f293b4f99face97449d18106f7dc9df5b9170354d1c1da27f9ec71849c
.NET Loader
a20672a07f3cf2e67682486c1a2b6684e9a50ca129260a74353d1664be25aa92
.NET Loader
cdf35bb3a256d4bd4e09a2a9b19e4682a3952233c720e37d9ae88e4050b8473a
.NET Loader
b9ea5ecbda6abd328bd7370d250fa9ab5a38a104955ac383cecee8ce581b9d80
.NET Loader
933858679466d57b4ea47003f08d864b1a417d7be75008e42ecd62f05dde7964
.NET Loader
3ad89c70d77b9fec35bbbac25d3dabca9d6c1fc055b8570a2d34b3af5ac58aef
.NET Loader
55f1b8346fc2e94791431a237d8a38fb6bb2014380b1905955d12bccb8c24e79
.NET Loader
c1e18c6a611ccf23971a43fcdc0186d6a3f2bb0ee792140c35fc1e1a34582551
.NET Loader
225d10a0b3880eebafb327769e39a2484161e21e5d07ddef8fe16b65d2a90113
.NET Loader
dcea0d579d3d6ab2d29a3665e3e0c3849ccd42abe390b80bf362c79088a1ebbe
.NET Loader
4865a260754a6a8740a85c40ef4185420334f9b21cc0d865295fdae4bb1e94a4
.NET Loader
ae192d14a916ecdb55803830eace5ef820b1b520a751b6b689fa9591f6f292bc
.NET Loader
bdc0a1ad95b1a62ae1e702681949fea485f42d5884aca78df02a64869688192e
.NET Loader
c625ac5c134a74d84f8ce91504e41af15972ec71c064f7a5d31c588a8ff2c332
.NET Loader
ea357305411b9c6b27657782e2bb14bc0c18149a7ad4093b30c12b041f785933
.NET Loader
f76f5c12b81aa6d7fac0eeb4b775004c525ae50ebb049b6f4177417104eb8ef4
.NET Loader
2be8c01e5ffcabb566212268a63ef3c42db5c57d3e879abe99b06b48ac9bacda
.NET Loader
46f5ffcc04ea1eaf09cfce1a9329624c85a5c5435d91444a55ce02fceebfd2f7
.NET Loader
ed7da8aef7dbe652b429d64a918a943c6586e1d4cec353c84663f8b451c09874
.NET Loader
3c1be333e85f0243cdbcecfd727e86d582569809e2c45fefb64261b473ca1734
.NET Loader
f0dfa2297df28f64dc38da3a54bbef5c499691a8cf05de0f08e20f4f7077e67c
.NET Loader
40fc64907dcd0063e5f2b604fe78d0484d821cb9cda199d3cdca5e0219b43587
.NET Loader
fc39aa0d2486c746f9b8d4d459a65517a21f961fb24ec25c4470f0b86e8c7cae
.NET Loader
4bfa7c32d9eb8f7468a1919dbf9698e971052c091de4b66b125ba18b04bbe607
.NET Loader
d8e22f8b5964428b4a29e5aad9ec9186bd96e7d29bc56ede8821a24294629931
.NET Loader
bc3fcaa746c261af6b72ee0720fa739d7f79df71709b7067f016e30578f94c22
.NET Loader
263bc3729f5785acb6647af950f3fe0a0cbbe05d2fcc9639276852ba39ecbaa2
.NET Loader
f31a6b19572b668dbb473a0e43e53b9c1e5020b057421de8fc019c150ed3fb38
.NET Loader
ee32169bef700d3dcceb86a101e188e5c0146a1104ee8809d1e031d93cdee36c
.NET Loader
9946fb2e81d07ad7780a20cf06b59bd27177c8bd6ed543e13089c47957adab1a
.NET Loader
c5a4bf56670d51fed1e88050eddb003f39af0e22fbb01163679fef758b000392
.NET Loader
4524d47ca7b7d71764f12807fd3722e4b890388eb2f5bf975d58c6afd0221fb3
MSI Installer
8e2fc9de5da07a6cf6cfeb3349185e282cec5eed944cb66873136bd697389516
MSI Installer
2f9f289224482204b0f3bb4f0af8fe99f235daea99fe435cbc53dcbb9bc22bb0
MSI Installer
434ec6d3575f72e680a8bf9211b3a853d80457644ff01d7acc41657b9bfdca24
MSI Installer
eee76b24be7121434ec7ad1ca39792cbfec594916f8e143fad18698955ba0870
MSI Installer
81c5b7940a69854c72cb99d4af6a1092f0adc9182e9e8fd729b1857126d096ba
MSI Installer
70d6cf1d106783bced15e4bd31b91a6be8ae9d9746955da60cfdf1cb1f9dbf7d
MSI Installer
77607c0a0a1dcaa4f1ba27e17d5eba5d79fbbf64e1e71b8f4e03a6f724653355
MSI Installer
80bc99cd883421432e034d0c714d892ecaac6385fd86bd74e9291a736e118f28
MSI Installer
d48d277f7891ed1e2797d551c1470eae87af7b82746fa8dc2083440c42bcc112
MSI Installer
71a106f9fbce3e5b48baaacc250beb292cbc0c63190c3ae390f69c17e0be5465
MSI Installer
c9c18f3eb35b9359c52737e12c35701401867b91aad0ca17822e8a82fce46001
MSI Installer
9cbf221cfb8fe33c0a3e352742c8b9b931fef5b5c6a07e33cdeebe97b6113622
MSI Installer
335b69874aff8bc4c45404917fb34523c7205854a979a5293b40d0b2aa52ed89
MSI Installer
6eed0ff8083a07cf43850e74a9667267613783721834c7593338f888b419ca47
MSI Installer
5925f48a5b1abc6d25858bf7d3cfc4ec98991ecc5fddebe79b80c29789a2f5fe
MSI Installer
a6fbcc0b368109a964e55869969d33db7287726b2e0dbf46bdcaa91f6adc1edb
MSI Installer
98f7bda5f3c4d7f845b6812d774765907b7b943b7d97386c1a8135c2051b2225
MSI Installer
8a444480e1a313ce35b3535c8df8f5511817e57897e7b5de0e36b5973c21fb82
MSI Installer
a8f7253907eb8ab7021c58cc8a03c32f33d4a3a86494b9198b68cec3219a968c
MSI Installer
aeda5536fe7239843130547c677d2094883fd45aafeffb91c196c9b12c36232b
MSI Installer
750baeecb35d18010fbdfd0c90ecd4be3083a51b39837f596f0887bfd294e170
MSI Installer
28107b1104bb5fd61d49b64460a0f1f75c664930b251849361783cf60d518c7d
MSI Installer
56f7283604960cca96200e5da47dd6a4408086a77973f96ca230b2a583545cd8
MSI Installer
490bd1a59cb2d43828c301d943b7c6a848f2b70d901d69234ccc7c88db8f8ca7
MSI Installer
44339460d0dfe01d68c10c9a084f1d4530b0c135d6be55bcbc8666822b454f3f
MSI Installer
39be7067ccedfac84b9ff7d15bc6297d8d8637357aaa4b68286ed8af2e65a2e7
MSI Installer
4edc594040c0a3b0dfa5b343d1f000271b0e6d3bd3f29988c360735c6ffd9fc0
MSI Installer
9103f43dcf834b696ff3f6f4ea58dc0bdf14e1483f91420313157bb1a41ba76b
MSI Installer
13d88bcf312896fae6d03d59c564bc9521e0916096098cfe41508395955aab0e
AllaKore
168ac972b7f0610f978e50b426e39938f889422b1bcfaf9cddf518e3e1ed9aa9
AllaKore
2ff3cdb886b1caf3eaad9a2467bfa16b9269b88695b76bb6a0da481458e30aa3
AllaKore
305cde85573131949fab5a3973525a886962c4f8c02558d3a215689a49f53406
AllaKore
33578228c11ad0b3d86a198a32b602aa93a91d2feeae2fb2e83f8c6595c8acd9
AllaKore
422c9471c29fe17457e142df1a567c273212019eb20b0b4783891c529c1248a8
AllaKore
46c14c2f0d04710f53db16473877d3315c13e1a33a3236846a87e8f91808c8eb
AllaKore
49a04f31e49cee3ae65e9d776bc0f8aedf40c52fafcd002ccf7de4044abec2dd
AllaKore
52134d02cd77f8a65fd5b15c7c57ff2909ac39f0b5779592c533a18bf6b23879
AllaKore
5961b42f8efad58c437bdad862a0337c6bcd57f7cbf35184f2de60f4609fd477
AllaKore
673d4fe6f9e46fae37649c525f1d0d89cfd3b8310210dff4ddc7349418d9e80f
AllaKore
6d516a96d6aa39dd9fc2d745ea39658c52ab56d62ef7a56276e2e050d916e19f
AllaKore
89206ca169747d4aa70d49350415f21df7f1a00a3bf8d0c253b6beda2eb919d9
AllaKore
8fce1d24cf952528169f473b9462724482511615ed31165710e5e3a74cefdd02
AllaKore
911e45d053bdf3a41e812203ae29db739cf3505a4e37209936c1cc83ee42e8e9
AllaKore
9221470c77b46bcd457951ae3a3d31d60ad4602ea9d152d51d1e4f9a5b3bca3a
AllaKore
a5af60355c423fa4cc9695b86a5697f847259eaee724065162d303cc4523d447
AllaKore
b858d451804a641fc51dd6d3c50668d6a08dc9033252aee52f582264a970cff8
AllaKore
bc423bd9acd7c5a1f2849091f21de5429f2fc79e2655f92866e1c8b7b1f96f7e
AllaKore
c778739c5214aa580cba05f01afe2d9fc8f12d3fa7ad864a279bcb4ad6d266b4
AllaKore
cde045a0269a5a05928128c6ca7c030947f96034c9204e2b747a0d626e3f22f3
AllaKore
e2d82ab6cc71a1d8d2a2ba2312b0d8a4a3d23e3902d5b180383d9e406097a9ff
AllaKore
ee772e1260c6adc532bed57cacdbb6e0b8db311996074ad42eaf1aefd243187a
AllaKore
eecc201c80809b636d945aa537b954dd2e39382c36067a040a672167a1257a09
AllaKore
fba031543c3ab694a09e603a7df6417f93742f0b87f9fedaf9ab84d11340ccb5
AllaKore
fd8c49d00effa8bc730e06ae217655a430ba03122ca974945d41642299853dfa
AllaKore
Network IoCs
IoC
Type
flapawer[.]com
C2
chaucheneguer[.]com
C2
hhplaytom[.]com
C2
zulabra[.]com
C2
uperrunplay[.]com
C2
uplayground[.]online
C2
192.119.99[.]234
C2
192.119.99[.]235
C2
192.119.99[.]236
C2
192.119.99[.]237
C2
192.119.99[.]238
C2
23.236.143[.]214
C2
23.254.138[.]211
C2
23.254.202[.]85
C2
23.254.136[.]60
Delivery
trapajina[.]com
Delivery
narujiapo[.]com
Delivery
zaguamo[.]com
Delivery
debirpa[.]com
Delivery
isepome[.]com
Delivery
iomsape[.]com
Delivery
pemnias[.]com
Delivery
bstelam[.]com
Delivery
rudiopw[.]com
Delivery
manguniop[.]com
Delivery
ppmunchi[.]com
Delivery
pelicanomwp[.]com
Delivery
andripawl[.]com
Delivery
dulcebuelos[.]com
Delivery
APPENDIX 2 – Applied Countermeasures
Yara Rules
rule MX_fin_downloader_kaje_decode_func {
meta:
author = "BlackBerry Threat Research & Intelligence Team"
description = "Locates .NET function that deobfuscates kaje filename"
date = "2023-12-19"
strings:
$s1 = {1A8D??00000125161F6A0658D29C25171F620659D29C25181F6B0659D29C25191F660659D29C0B}
condition:
all of them
}
rule MX_fin_downloader_elearnscty_string {
meta:
author = "BlackBerry Threat Research & Intelligence Team"
description = "Locates unique strings to the MX fin .NET downloaders."
date = "2023-12-19"
strings:
//ElearnScty Testing course
$s1 = {52 00 57 00 78 00 6c 00 59 00 58 00 4a 00 75 00 55 00 32 00 4e 00 30 00 65 00 53 00 42 00 55 00 5a 00 58 00 4e 00 30 00 61 00 57 00 35 00 6e 00 49 00 47 00 4e 00 76 00 64 00 58 00 4a 00 7a 00 5a 00 51 00 3d 00 3d 00}
condition:
all of them
}
rule MX_fin_custom_allakore_rat {
meta:
author = "BlackBerry Threat Research & Intelligence Team"
description = "Find MX fin custom function names and prefixes."
date = "2023-12-19"
strings:
$main = ""
$cnc1 = ""
$cnc2 = ""
$cnc3 = "
$cnc4 = "
$cnc5 = "
$cnc6 = "
$cnc7 = "
$cnc8 = "" wide
$cnc9 = "
$cnc10 = "
condition:
uint16(0) == 0x5A4D and
$main and
2 of ($cnc*) and
filesize > 5MB and filesize
}
APPENDIX 3 – Detailed MITRE ATT&CK® Mapping
Tactic
Technique
Sub-Technique Name
Initial Access
T1189 - Drive-by Compromise
Execution
T1204 - User Execution
T1204.004 - Malicious File
Execution
T1059 - Command and Scripting Interpreter
T1059.001 - PowerShell
Defense Evasion
T1218 - System Binary Proxy Execution
T1218.007 - Msiexec
Defense Evasion
T1480 - Execution Guardrails
Defense Evasion
T1070 - Indicator Removal
T1070.004 - File Deletion
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T10171 - Application Layer Protocol
T10171.001 - Web Protocols
Command and Control
T1219 - Remote Access Software
Credential Access, Collection
T1056 - Input Capture
T1056.001 - Keylogging
Collection
T1113 - Screen Capture
Exfiltration
T1041 - Exfiltration Over C2 Channels
