Since 2021, a cybercriminal group known as Greedy Sponge has been orchestrating targeted attacks against financial institutions in Mexico. Utilizing a significantly modified version of the AllaKore Remote Access Trojan (RAT), these attackers have refined their methods to execute sophisticated financial fraud operations.
Deployment Tactics
Greedy Sponge employs spear-phishing campaigns and drive-by downloads to distribute their malware. They disguise malicious Microsoft Installer (MSI) files as legitimate software updates, which, when executed, deploy a .NET downloader. This downloader retrieves the customized AllaKore payload from command-and-control servers located in Dallas, Texas. Notably, the attackers implement server-side geofencing to ensure that the payload is delivered exclusively to systems within Mexico, thereby enhancing the precision of their attacks.
Technical Enhancements
Recent analyses by Arctic Wolf Labs have revealed that Greedy Sponge has integrated SystemBC into their attack framework. SystemBC is a multi-platform malware proxy tool that facilitates persistent backdoor access and the deployment of additional malicious payloads. This integration signifies an evolution in the group’s operational capabilities, allowing for more robust and adaptable attack strategies.
Persistence and Evasion Mechanisms
The modified AllaKore variant exhibits advanced persistence techniques. Upon infection, the malware places an updated version of itself in the system’s Startup folder, retrieved from a specific URI endpoint. It also executes PowerShell scripts to remove traces of the initial infection from the system, complicating detection efforts.
To evade security measures, the malware employs a User Account Control (UAC) bypass technique using Microsoft’s Connection Manager Profile Installer (CMSTP.exe). This method allows the malicious code to execute under the guise of a routine system update, labeled Actualizando (Spanish for updating). Additionally, the .NET downloader uses a distinctive user-agent string and base64 encoding to obfuscate network traffic, further evading detection.
Implications for Financial Institutions
The activities of Greedy Sponge underscore the evolving threat landscape facing financial institutions. The group’s ability to adapt and enhance their attack methods highlights the necessity for organizations to implement comprehensive cybersecurity measures. This includes regular security audits, employee training on phishing awareness, and the deployment of advanced threat detection systems.
Conclusion
The Greedy Sponge campaign serves as a stark reminder of the persistent and evolving threats targeting the financial sector. Financial institutions must remain vigilant, continuously updating their security protocols to counteract sophisticated cyber threats.
