A financially motivated threat actor, now identified as Greedy Sponge, has been relentlessly targeting Mexican organizations with a customized version of the AllaKore Remote Access Trojan (RAT).
Named for its monetary focus and a past reference to a popular “SpongeBob” meme on its command-and-control (C2) infrastructure, this group has evolved its tactics over the years.
Persistent Threat Targets Mexican Organizations
Greedy Sponge has recently enhanced its malware to steal banking credentials and authentication data, enabling sophisticated financial fraud.
Their campaigns, active through 2022 and 2023, have now incorporated secondary infections like SystemBC, a multi-platform malware proxy tool, to further download and execute malicious payloads, amplifying the threat to medium and large Mexican companies across diverse sectors including retail, banking, and public services.
Greedy Sponge’s operational advancements are evident in their updated attack vectors and infrastructure.
Initially relying on a .NET downloader within trojanized Microsoft Software Installer (MSI) files for geofencing to Mexican IPs, the group has shifted this restriction server-side since mid-2024, making detection more challenging for defenders.
Their delivery mechanism involves spear-phishing and drive-by downloads, often using zip files like “Actualiza_Policy_v01.zip” that bundle legitimate software such as Chrome proxy executables with malicious MSI installers.
These installers deploy a .NET downloader named “Gadget.exe” (internally “Tweaker.exe”), which retrieves the customized AllaKore RAT payload from domains like “manzisuape[.]com”.
Sophisticated Delivery Mechanisms
The RAT, now heavily modified, supports keylogging, screenshots, file uploads/downloads, and remote control capabilities, while persistence is maintained via updated versions downloaded to the Startup folder.
Additionally, secondary infections of SystemBC are executed from endpoints hosted on servers like “masamadreartesanal[.]com”, using techniques such as User Account Control (UAC) bypass through the Microsoft Connection Manager Profile Installer (CMSTP).
Hosted primarily on Hostwinds servers in Dallas, Texas, their infrastructure remains consistent, with phishing domains mimicking Mexican business sites and C2 communications structured for efficient credential exfiltration.
Greedy Sponge’s deep understanding of Mexican economic and regulatory environments, coupled with Spanish-language development and geographically limited targeting, suggests a localized operation with potential ties to the region, as evidenced by RDP access to C2 servers from Mexico.
Their persistence over four years indicates operational success, likely driven by a tiered structure where operators steal data for server-side processing in fraudulent banking schemes.
Arctic Wolf recommends robust user education on phishing, restricted software downloads, and enhanced PowerShell logging to mitigate risks.
Without law enforcement intervention, Greedy Sponge is poised to remain a significant threat to Mexican entities, continuously refining its tactics to evade detection and maximize financial gain.
Arctic Wolf has integrated new detections into its Aurora Platform to protect customers, adapting to emerging indicators of compromise (IOCs) and techniques used by this actor.
Indicators of Compromise (IOCs)
| Type | Indicator |
|---|---|
| AllaKore SHA-256 | 20fe630a63dd1741ec4ade9fe05b2e7e57208f776d5e20bbf0a012fea96ad0c0 |
| .NET Downloader SHA-256 | a83f218d9dbb05c1808a71c75f3535551b67d41da6bb027ac0972597a1fc49fe |
| Phishing Domain | glossovers[.]com |
| AllaKore C2 Domain | manzisuape[.]com |
| SystemBC C2 Domain | pachisuave[.]com |
| Delivery Domain | trenipono[.]com |
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
