Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC

SUMMARY :

A financially motivated threat group dubbed Greedy Sponge has been targeting Mexican organizations since 2021 with a modified version of AllaKore RAT and SystemBC malware. The group uses spear-phishing and drive-by downloads to deliver custom packaged installers containing the RAT. Recent updates include improved geofencing, more potent secondary infections, and enhanced credential stealing capabilities. The AllaKore payload has been heavily modified to enable theft of banking credentials and authentication information. The group has shown consistent development of their tactics and techniques over time, demonstrating persistence and some level of operational success. Despite their longevity, they are not considered highly advanced, focusing primarily on financial fraud against Mexican entities across various industries.

OPENCTI LABELS :

mexico,spear-phishing,credential theft,systembc,drive-by download,allakore rat,financial fraud,geofencing


AI COMMENTARY :

1. Introduction: Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC

The financial crime landscape in Mexico has seen a troubling evolution since 2021 as a group known as Greedy Sponge has emerged, leveraging spear-phishing and drive-by download campaigns to deliver a heavily modified version of the AllaKore RAT alongside the SystemBC malware. Financially motivated and persistent, this threat actor specifically crafts custom installers to evade detection and steal banking credentials and authentication data from organizations across various industries in Mexico.

2. Background on Greedy Sponge

Greedy Sponge first attracted attention by targeting Mexican entities with tailored phishing emails that mimic legitimate business correspondence. Over time the group refined its approach by incorporating geofencing measures to avoid infecting systems outside Mexico ensuring a narrow focus on high-value targets. The campaign demonstrates a clear pattern of iterative development, underscoring the actor’s commitment to financial fraud rather than cyber espionage or sabotage.

3. Attack Vectors and Delivery Mechanisms

The primary delivery methods employed by Greedy Sponge include spear-phishing messages containing weaponized attachments and drive-by download attacks hosted on compromised websites. Victims who open the malicious installers unwittingly deploy the custom AllaKore RAT which then establishes a covert channel to the attacker’s infrastructure. SystemBC is often introduced as a secondary payload, functioning as a proxy for additional malware downloads or command and control communication.

4. Technical Evolution of AllaKore and SystemBC

Recent updates to the AllaKore payload have bolstered its geofencing capabilities and introduced more potent modules for credential theft, specifically targeting banking login portals. The group has also enhanced its secondary infection routines to deploy customized stealer components post-compromise. SystemBC remains a versatile tool in the adversary’s arsenal, facilitating encrypted communications and enabling further expansion of the attack chain.

5. Impact on Mexican Organizations and Mitigation Strategies

Organizations in the financial services sector, retail, and manufacturing have reported instances of unauthorized transfers and compromised credentials linked to Greedy Sponge activities. To mitigate the risk, security teams should implement robust email filtering, conduct regular phishing simulations, and monitor network traffic for anomalies associated with SystemBC proxy connections. Endpoint protection solutions with behavioral analysis can help detect modified RAT behaviors and credential dumping techniques.

6. Conclusion and Outlook

While Greedy Sponge may not rank among the most sophisticated threat actors globally, their relentless focus on financial fraud and continued refinement of tactics poses a significant risk to Mexican enterprises. The group’s persistence since 2021 highlights the necessity for organizations to maintain vigilance, update security controls, and collaborate on threat intelligence sharing to disrupt ongoing campaigns.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC