Cyberthreat Warning for Mexican Crypto Exchanges from Blackberry

Blackberry, the research and intelligence division of the once-dominant cellphone brand, has identified and warned about a financially motivated attacker targeting high-net-worth Mexican cryptocurrency exchanges and banks. According to their report, the threat involves the use of an open-source remote access tool called AllaKore RAT to steal sensitive user information from financial institutions. The attackers install the tool on company computers and databases, often disguising it behind official naming schemes and links to avoid detection.

Blackberry’s report highlights that the AllaKore RAT payload has been modified to enable the threat actors to send stolen banking credentials and authentication information to a command-and-control server for financial fraud purposes. The threat mainly targets large companies with annual revenues exceeding $100 million, particularly those that report directly to the Mexican Social Security Institute (IMSS). The majority of the attacks originated from Mexican Starlink IP addresses, leading Blackberry to conclude that the threat actor is based in Latin America.

The newer versions of AllaKore RAT utilize a more complex installation process, where the software is delivered to targets via a Microsoft software installer file. The software only executes if it detects the victim is located in Mexico. The threat is not limited to large banks and cryptocurrency trading services. Blackberry found that the same method is used to target large Mexican corporations in various industries, including retail, agriculture, public sector, manufacturing, transportation, commercial services, and capital goods.

Cyberattacks through basic phishing techniques are on the rise and have proven successful in stealing funds. For example, hardware wallet manufacturer Trezor recently experienced a security breach that led to the leak of contact information for around 66,000 users. Although Trezor assured its users that their funds remained secure, at least 41 users received direct email messages from the attacker requesting sensitive information about their recovery seeds.

Given the numerous data leaks within the cryptocurrency ecosystem, investors are advised to be cautious and avoid sharing sensitive information unless it has been verified.