Greedy Sponge, a financially motivated hacking group, has targeted Mexican organizations since early 2021 using modified AllaKore RAT and SystemBC. The group indiscriminately attacks various sectors including retail, agriculture, and banking. The AllaKore RAT payload is designed to capture banking credentials and other authentication data for financial fraud. The campaign employs phishing or drive-by attacks to distribute compromised ZIP files. Greedy Sponge has refined its tactics, incorporating geofencing to limit payload access and using SOCKS5 proxies to communicate with C2 servers.
The AllaKore RAT payload has been heavily modified to enable the threat actors to send select banking credentials and unique authentication information back to their command-and-control (C2) server, for the purpose of conducting financial fraud.
Historically, geofencing to the Mexican region took place in the first stage, via a .NET downloader included in the trojanized Microsoft software installer (MSI) file. This has now been moved server-side to restrict access to the final payload.
Greedy Sponge has also refined and updated its tradecraft to incorporate improved geofencing measures as of mid-2024 in an attempt to thwart analysis.
Attack chains analyzed by Arctic Wolf show that the remote access trojan is designed to optionally deliver secondary payloads like SystemBC, a C-based malware that turns compromised Windows hosts into SOCKS5 proxies.
Collection
[
|
...
]