Threat Research

Mexican Banks and Cryptocurrency Platforms Targeted With AllaKore RAT

admin

A financially motivated actor is delivering a heavily modified AllaKore RAT (tracked as chancla.exe) to Mexican companies using malspam and MSI installers that verify Mexican geolocation before deploying a .NET downloader. The payload includes banking‑focused commands (clipboard capture, credential fields, reverse shell) and communicates with statically hosted C2 domains such as uperrunplay[.]com and dulcebuelos[.]com. #AllaKoreRAT #IMSS

Keypoints

  • Attackers deliver a modified AllaKore RAT (chancla.exe) via malspam RAR archives and upgraded MSI installer chains that deploy a .NET downloader (ADV.exe) and PowerShell cleanup scripts.
  • The MSI/.NET downloader enforces execution guardrails by checking IP geolocation (ipinfo[.]io) to ensure the victim is in Mexico before retrieving the payload.
  • The custom RAT adds banking‑specific commands, clipboard/text grabbing (PEGATEXTO), reverse shell capability, file transfer, keylogging and screen capture to support financial fraud targeting Mexican banks and crypto platforms.
  • C2 and delivery infrastructure uses numerous domains (e.g., uperrunplay[.]com, trapajina[.]com, dulcebuelos[.]com) and Hostwinds-hosted servers with identifiable MMH hashes and recurring IP addresses (e.g., 23.254.136[.]60, 23.254.202[.]85).
  • Installers are built with Advanced Installer and perform staged actions: run ADV.exe (.NET downloader), deobfuscate strings, download kaje.zip (chancla.exe), execute payload, then run PowerShell file_deleter to remove installers.
  • Campaign persistence since 2021 with many Mexico-based submissions and Starlink IP usage suggests the operator is regionally focused and likely located in Latin America.
  • Extensive IoCs (multiple sha256 hashes, MSI and AllaKore samples, delivery/C2 domains and IPs) and YARA rules are provided for detection and hunting.

MITRE Techniques

  • [T1189] Drive-by Compromise – Deliveries used web‑hosted installers and malspam archives to push the RAT (‘Samples from the middle of 2022 … were packaged as RAR files containing the AllaKore sample itself.’)
  • [T1204.001] User Execution: Malicious File – Victim execution via user‑run installers and attachments (‘Installer files are structured like malspam attachments and have the following execution path:’)
  • [T1059.001] PowerShell – PowerShell scripts are executed for cleanup and orchestration (‘”C:Windowssystem32WindowsPowerShellv1.0powershell.exe” -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command “C:UsersadminAppDataLocalTempAI_4ECB.ps1 …”‘)
  • [T1218.007] Msiexec (System Binary Proxy Execution) – MSI installers (InstalarPluginSIPARE.msi) are used to run the .NET downloader and chain execution (‘InstalarPluginSIPARE.msi is built with Advanced Installer 18.3. This file deploys a .NET downloader …’)
  • [T1480] Execution Guardrails – Downloader verifies the victim is in Mexico via IP geolocation before proceeding (‘The downloader first verifies that the target is located in Mexico, verified via network IP location services before downloading the customized AllaKore RAT.’)
  • [T1070.004] File Deletion – Post‑installation PowerShell removes installer artifacts (‘They are used to clear out the ADV directory once the final payload is delivered.’)
  • [T1140] Deobfuscate/Decode Files or Information – .NET downloader deobfuscates strings to reveal download URLs (‘The rest of the downloader’s execution deobfuscates strings and then downloads content from hxxps://trapajina[.]com/516.’)
  • [T1105] Ingress Tool Transfer – ADV.exe downloads kaje.zip which contains the final payload (chancla.exe) (‘The file is saved as “kaje.zip”. “Kaje.zip” is decompressed into the final payload, “chancla.exe”.’)
  • [T1071.001] Web Protocols – C2 communication and payload hosting over HTTP(S) endpoints like registrauser.php and license.txt (‘registrauser[.]php is the C2, which is used for communication with the RAT.’ )
  • [T1219] Remote Access Software – Modified AllaKore operates as remote access software for interactive control (‘AllaKore RAT … potent capability to keylog, screencapture, upload/download files, and even take remote control of victim’s machine.’)
  • [T1056.001] Input Capture: Keylogging – RAT includes keylogging/input capture to harvest credentials (‘AllaKore RAT … has the potent capability to keylog’)
  • [T1113] Screen Capture – RAT can capture screenshots of victim systems (‘AllaKore RAT … screencapture’)
  • [T1041] Exfiltration Over C2 Channels – Stolen credentials and authentication data are sent back to C2 for fraud operations (‘send stolen banking credentials and unique authentication information back to a command-and-control (C2) server’)

Indicators of Compromise

  • [File hashes] loader/payload context – chancla.exe (SHA256: aa11bedc…96e19f), Chrome32.exe extension (SHA256: 0b8b88ff…), and many .NET loader/MSI hashes (dozens more listed)
  • [File names] installer/payload context – InstalarPluginSIPARE.msi, aluminio.rar -> aluminio.exe, chancla.exe
  • [Domains] delivery/C2 context – uperrunplay[.]com (C2), trapajina[.]com (delivery), dulcebuelos[.]com (payload host), and other delivery domains
  • [IPs] infrastructure context – 23.254.136[.]60 (delivery server), 23.254.202[.]85 (C2/delivery), 192.119.99[.]234-238 (C2 range)
  • [Network endpoints] C2 paths/context – registrauser.php (C2), license.txt / license2.txt (update pointers)

The technical deployment follows a staged installer and downloader chain: early campaigns delivered the AllaKore RAT inside RAR archives that decompressed aluminio.exe, whereas later iterations wrap a .NET downloader inside an MSI (InstalarPluginSIPARE.msi) built with Advanced Installer. The MSI drops ADV.exe (.NET downloader) and PowerShell cleanup scripts; ADV.exe first checks geolocation via ipinfo[.]io and exits unless the response indicates MX, then deobfuscates strings and downloads kaje.zip (saved file name) from delivery domains (e.g., trapajina[.]com/516). Kaje.zip unpacks into chancla.exe — the customized AllaKore RAT — which uses a consistent user agent and contacts C2 endpoints (registrauser.php, license.txt) to receive commands and updates.

Chancla.exe extends the open‑source AllaKore RAT with banking‑specific functions: clipboard/text capture (PEGATEXTO) using Ctrl+C/Ctrl+V, reverse shell command (), file download/execute routines to fetch additional components, and standard collection capabilities (keylogging, screen capture, upload/download). The MSI/ADV chain includes a cleanup phase executed by file_deleter.ps1 to remove installation artifacts, aiding concealment. C2 and delivery domains rotate frequently but share HTML/favicons and are predominantly hosted via Hostwinds/eNom infrastructure; delivery servers have consistently used 23.254.136[.]60 and ZeroSSL certificates since 2022.

Operational patterns supporting attribution and hunt capabilities: the downloader enforces execution guardrails (Mexico geolocation) and uses obfuscated functions to hide URLs, payloads are retrieved from identifiable delivery domains (dulcebuelos[.]com, trapajina[.]com, praminon[.]com), and persistent C2 ranges (e.g., 192.119.99[.]234-238, 23.236.143[.]214) and MMH favicon/html hashes allow tracking. Detection controls should prioritize known MSI/.NET loader sha256 hashes, the listed delivery/C2 domains and IPs, the distinctive AllaKore custom function strings (e.g., , ), and monitoring for Advanced Installer exe chains and PowerShell cleanup activity.

Read more: https://blogs.blackberry.com/en/2024/01/mexican-banks-and-cryptocurrency-platforms-targeted-with-allakore-rat

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint