Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC – Arctic Wolf

MITRE Techniques

• [T1591.001] Gather Victim Org Information: Determine Physical Location – Use of geofencing restricts malware execution to systems physically located in Mexico (“Attacker restricts the malware execution to systems physically located in Mexico”).
• [T1027.015] Obfuscated Files or Information: Compression – Delivery via zip files containing AllaKore RAT (“Zip files are delivered containing Greedy Sponge’s custom AllaKore RAT”).
• [T1218.007] System Binary Proxy Execution: Msiexec – Trojanized MSI files used to download custom AllaKore RAT (“A MSI file has been trojanized to download Greedy Sponge’s custom AllaKore RAT”).
• [T1204.002] User Execution: Malicious File – Execution gained by victims opening malicious files in zipped archives (“Greedy Sponge has gained execution through victims opening malicious files embedded in zip file”).
• [T1105] Ingress Tool Transfer – Download of custom AllaKore RAT (“Attacker downloads Greedy Sponge’s custom AllaKore RAT”).
• [T1059.005] Command and Scripting Interpreter: PowerShell – PowerShell script deployed for cleanup after RAT installation (“InstalarActualiza_Policy.msi deploys a PowerShell script for cleanup of the %appdata% directory”).
• [T1070.004] Indicator Removal: File Deletion – PowerShell script cleans up deployment directories to evade detection (“InstalarActualiza_Policy.msi deploys a PowerShell script to clean up the %appdata% directory used for downloading and deploying the RAT”).
• [T1132.001] Data Encoding: Standard Encoding – Base64 encoding used in .NET downloader requests (” .NET downloader has encoded requests with Base64″).
• [T1071.001] Application Layer Protocol: Web Protocols – Communication over HTTPS to download malware (“Attacker communicates over HTTPs to download the RAT”).
• [T1140] Deobfuscate/Decode Files or Information – Decompression of metsus.zip into executable AllaKore RAT (“metsus.zip is decompressed into kgm.exe, which is the AllaKore RAT”).
• [T1056.001] Input Capture: Keylogging – AllaKore RAT can perform keylogging on victims (“AllaKore RAT has the capability to keylog”).
• [T1113] Screen Capture – AllaKore RAT can take screenshots (“AllaKore RAT has the capability to take screenshots”).
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – RAT maintains persistence via startup folder (“Allakore RAT maintains persistence in the system using the startup folder”).
• [T1041] Exfiltration Over C2 Channel – Collected data exfiltrated to C2 servers (“Attacker copies collected information back to the threat actor’s servers”).
• [T1555] Credentials from Password Stores – Theft of credentials and tokens from banking sites (“Attacker has collected information about authentication on target banking sites, and steals authentication artifacts such as credentials and tokens”).
• [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control – User account control bypass using CMSTP (“Pnp.exe is a user account control (UAC) bypass utilizing CMSTP compiled off this repo, or a fork”).
• [T1218.003] System Binary Proxy Execution: CMSTP – Use of CMSTP executable to proxy execution of malicious code (“Pnp.exe uses CMSTP, compiled from this repo or a fork, to bypass UAC”).