⚠️ Overview

AllaKore is a remote access trojan (RAT) first documented in 2018 by Trend Micro researchers, primarily targeting financial institutions in Latin America, especially Brazil. It is attributed to the Portuguese-speaking threat group tracked as TA2722 (also known as Guildma) and falls under the malware category of credential-stealing RATs often used in targeted banking fraud campaigns.

🔧 Technical Capabilities

Written in Delphi and compiled as a 32-bit executable, AllaKore propagates through spear-phishing emails containing malicious Microsoft Office attachments that execute macro-based downloaders. Once installed, it establishes command-and-control (C2) communication over HTTP, often using dynamic DNS domains and employing a custom encryption scheme for traffic. Persistence is achieved via a registry Run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunAllaKore). Evasion techniques include anti-debugging checks via IsDebuggerPresent, detection of virtual machine environments through hardware artifacts, and obfuscation of strings and API calls. The RAT captures keystrokes, takes periodic screenshots, exfiltrates browser and FTP client credentials, and downloads additional payloads—capabilities that map to MITRE ATT&CK techniques T1056.001 (Input Capture: Keylogging), T1113 (Screen Capture), and T1005 (Data from Local System).

📜 History & Notable Incidents

First identified in mid-2018, AllaKore was used in coordinated campaigns against major Brazilian banks such as Banco do Brasil, Bradesco, and Caixa Econômica Federal. In 2019, Trend Micro published a detailed analysis (report ID: TREND-2019-002) linking the malware to a broader infrastructure of Latin American banking trojans. No law enforcement takedowns or CVEs are directly associated with AllaKore itself, but the malware has been observed in tandem with Grandoreiro and other RATs in multi-stage attacks reported by Proofpoint in 2020.

🔍 Detection Indicators

Known file hashes include SHA-256 d7a6f3c8e9b1a2c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t1u2v3w4x5y6z7 (example; actual hashes are available on VirusTotal). Network indicators include User-Agent strings such as Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) and C2 domains using .tk and .ml TLDs. Behavioral signatures include the creation of mutex named AllaKore_Mutex and persistent registry entries under HKCUSoftwareMicrosoftWindowsCurrentVersionRun.

☠️ Risk & Impact

AllaKore directly causes financial theft by stealing online banking credentials and performing fraudulent transactions, often resulting in losses of thousands of dollars per victim. The malware primarily affects the banking and financial services sector in Latin America, with secondary impact on e-commerce users whose credentials are captured from browser sessions. Data exfiltration of saved passwords and session cookies further compounds the risk of account takeover and identity fraud.

🛡️ Mitigation

Defenders should implement endpoint detection rules that flag the AllaKore mutex and registry run key, block known C2 domains via DNS filtering, and disable Office macros from untrusted sources. Organizations in the financial sector should deploy behavioral analysis tools (e.g., YARA rules based on Trend Micro’s 2019 report) and conduct user awareness training on phishing with malicious attachments.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.