Mexican organizations continue to face significant cybersecurity threats, with evidence of a sustained campaign by a financially motivated hacking group known as Greedy Sponge. Active since early 2021, this group has indiscriminately targeted various sectors, including retail, agriculture, public services, and banking, utilizing modified versions of AllaKore RAT and SystemBC.
The cyberattack methodology analyzed by Arctic Wolf Labs highlights how the AllaKore RAT payload has been specifically altered to steal banking credentials and authentication data for financial fraud purposes. In a recent analysis published, the cybersecurity firm detailed the threat actors’ tactics in execution, which primarily involve phishing and drive-by attacks that deploy tempting but booby-trapped ZIP archives leading to malware deployment, as outlined by the BlackBerry Research and Intelligence Team.
Subsequent investigations have established that attackers are employing advanced mechanics in their operations. The distribution model includes ZIP files disguised as legitimate programs, which trigger the installation of malware designed to facilitate remote access and data theft. This malware, characterized by its capability for keylogging and remote control functionalities, continues to reflect a broader strategy of financial motivation coupled with persistent operational success, according to Arctic Wolf.
Additionally, Greedy Sponge is noted for its iterative refinement of methods, particularly with improved geofencing capabilities that restrict access to their operations. This has evolved from initial installations that included .NET downloaders to approaches now spearheaded by complex server-side mechanisms.