Greedy Sponge Reemerges: New AllaKore RAT Variant and SystemBC Target Mexico's Financial Sector

A financially motivated threat group now known as Greedy Sponge has reemerged with a revamped campaign targeting organizations in Mexico, according to a detailed report by Arctic Wolf Labs. Active since 2021, the group has continued to adapt its tactics, weaponizing a modified version of the AllaKore Remote Access Trojan (RAT) and deploying advanced secondary infections such as SystemBC, in pursuit of banking credentials and financial fraud.

“The AllaKore RAT payload has been heavily modified to enable the threat actors to send select banking credentials and unique authentication information back to their command-and-control (C2) server, for the purpose of conducting financial fraud,” stated Arctic Wolf.

The recent campaign shows notable advancements. Previously, the geofencing mechanism restricting access to Mexican targets occurred in the trojanized installer. Now, this check happens server-side, significantly complicating analysis and detection by researchers and defenders.

“Historically, geofencing… took place in the first stage… This has now been moved server-side to restrict access to the final payload, thus hampering detection efforts,” the report states.

Attackers leverage spear-phishing emails and drive-by downloads to deliver a zip file containing a trojanized MSI installer masked as a Chrome update (InstalarActualiza_Policy.msi). Once executed, it launches a .NET downloader (Gadget.exe) and a PowerShell cleanup script, silently installing the AllaKore RAT and optionally the SystemBC malware proxy.

Originally an open-source Delphi-based RAT from 2015, AllaKore has been transformed into a highly capable cyber-espionage tool, capable of keylogging, screenshot capture, file transfer, and full device control. The malware gains persistence via scheduled tasks and startup folder implants, with updates delivered via obfuscated URIs such as /z1.txt.

“AllaKore is a potent spying and exfiltration tool… capable of keylogging, screenshotting, uploading/downloading files, and even taking remote control of the victim’s device,” the report explains.

A variant dubbed AllaSenha has even been used to target Brazilian financial institutions, suggesting regional expansion.

Once AllaKore establishes persistence, a secondary infection using SystemBC v2 may be downloaded and executed. Arctic Wolf observed it being hosted at masamadreartesanal[.]com/tag/ss.exe, using a User Account Control (UAC) bypass via CMSTP, a legitimate Microsoft binary.

“Pnp.exe is a user account control (UAC) bypass… adversaries use it to proxy execution of malicious code,” the report writes.

This stealthy escalation significantly enhances the group’s post-exploitation capabilities, enabling them to obfuscate activities and escalate privileges without triggering alarms.

Greedy Sponge’s infrastructure is hosted primarily on Hostwinds servers in Dallas, Texas, with C2 domains registered through NICENIC INTERNATIONAL. Though geographically close to Mexico, this location may place the servers beyond the reach of local authorities.

Their victims span industries from banking and retail to agriculture and manufacturing, united by one common trait: financial gain.

The attacker’s infrastructure shows consistency across years of operations, demonstrating operational success. Phishing lures have included mimics of Mexico’s Instituto Mexicano del Seguro Social (IMSS), further reinforcing regional targeting.

Organizations operating in Mexico should consider themselves potential targets, regardless of industry. Arctic Wolf emphasizes the importance of employee awareness, PowerShell logging, and strict software update policies.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply