Greedy Sponge

Greedy Sponge is an emerging financially motivated cyber threat group active since early 2021. This syndicate targets medium- to large-sized Mexican companies across a wide range of industries by using spear-phishing and drive-by downloads. Their highly customized malware suite—built around a modified AllaKore Remote Access Trojan (RAT) and SystemBC proxy tool—is designed for cyber financial fraud.

---

Threat Type & Technical Summary

Attribute	Details
Threat type	Remote Access Trojan (AllaKore RAT) & Proxy Malware (SystemBC)
Detection names	Modified AllaKore RAT, SystemBC proxy
Symptoms of infection	Silent keylogging, screenshots, file transfers, banking credential theft, persistence on startup
Damage & distribution	Heavy financial fraud via stolen banking credentials and tokens; delivered through MSI installer trojanized via zip, spear-phishing, malicious downloads
Danger level	High – capable of deep system control, credential theft, and stealthy exfiltration
Removal tool	SpyHunter (Download SpyHunter)

---

Detailed Threat Evaluation

1. How They Get In

Targets are sent Spanish-named zipped files—often masked as policy updates or legitimate installers containing a trojanized MSI. These files house a .NET downloader (Gadget.exe/Tweaker.exe) that fetches the modified AllaKore RAT and, optionally, SystemBC.

2. What It Does

Once installed, the RAT facilitates remote control:

• Keylogging, screenshots, file uploads/downloads
• Credential and authentication token theft specifically from banking applications
• Persistence via startup folder, with automatic updates pulled from command-and-control servers

SystemBC operates as a proxy downloader to retrieve additional malware and help evade detection. A CMSTP-based UAC bypass (Pnp.exe) ensures the malware gains elevated privileges.

3. Should You Be Worried?

Absolutely. This is a targeted cyber fraud operation with multi-stage infiltration, robust persistence, and sophisticated credential theft capacities. Any organization interacting with banking systems, especially in Mexico, is at real risk.

---

Campaign Infrastructure

• C2 Domains
  • AllaKore RAT: manzisuape[.]com, trenipono[.]com
  • SystemBC: pachisuave[.]com
• Phishing Domains include: glossovers[.]com, logisticasmata[.]com, inmobiliariaarte[.]com, and others
• IP Addresses: Hostwinds-based hosting, such as 254.133[.]54 and command-and-control IP 142.11.199[.]35

---

Should You Be Concerned?

Yes. Greedy Sponge is a serious threat:

• Spear-phishing ensures targeted delivery
• Custom infrastructure and payloads enhance stealth and efficacy
• Credential theft and UAC bypass pose serious financial and security risks

---

Malware Campaign Action Overview

• Initial Access: Zipped MSI via phishing
• Execution: .NET downloader → AllaKore installer → persistence
• Privilege Escalation: UAC bypass via Pnp.exe (CMSTP exploit)
• Credential Capture: Keylogging, screenshots, banking token theft
• Lateral Movement: Secondary payload (SystemBC) for proxy/downloads
• Exfiltration: Data sent to command-and-control servers

---

Manual Trojan Malware Removal Guide

Step 1: Boot into Safe Mode

1. Restart your computer.
2. Before Windows starts, press the F8 key (or Shift + F8 on some systems).
3. Select Safe Mode with Networking from the Advanced Boot Options menu.
4. Press Enter to boot.

This prevents the Trojan from running and makes it easier to remove.

---

Step 2: Identify and Stop Malicious Processes

1. Press Ctrl + Shift + Esc to open Task Manager.
2. Go to the Processes tab (or Details in Windows 10/11).
3. Look for suspicious processes using high CPU or memory, or with unfamiliar names.
4. Right-click on the suspicious process and select Open File Location.
5. If the file is in a temporary or system folder and looks unfamiliar, it is likely malicious.
6. Right-click the process and choose End Task.
7. Delete the associated file in File Explorer.

---

Step 3: Remove Trojan-Related Files and Folders

1. Press Win + R, type %temp%, and press Enter.
2. Delete all files in the Temp folder.
3. Also check these directories for unfamiliar or recently created files:
   • C:\Users\YourUser\AppData\Local\Temp
   • C:\Windows\Temp
   • C:\Program Files (x86)
   • C:\ProgramData
   • C:\Users\YourUser\AppData\Roaming
4. Delete suspicious files or folders.

---

Step 4: Clean Trojan Malware from Registry

1. Press Win + R, type regedit, and press Enter.
2. Navigate to the following paths:
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3. Look for entries launching files from suspicious locations.
4. Right-click and delete any entries you don’t recognize.

Warning: Editing the registry can harm your system if done improperly. Proceed with caution.

---

Step 5: Reset Browser Settings

Google Chrome

1. Go to Settings > Reset Settings.
2. Click Restore settings to their original defaults and confirm.

Mozilla Firefox

1. Go to Help > More Troubleshooting Information.
2. Click Refresh Firefox.

Microsoft Edge

1. Go to Settings > Reset settings.
2. Click Restore settings to their default values.

---

Step 6: Run a Full Windows Defender Scan

1. Open Windows Security via Settings > Update & Security.
2. Click Virus & threat protection.
3. Choose Scan options, select Full scan, and click Scan now.

---

Step 7: Update Windows and Installed Software

1. Press Win + I, go to Update & Security > Windows Update.
2. Click Check for updates and install all available updates.

---

Automatic Trojan Removal Using SpyHunter

If manually removing the Trojan seems difficult or time-consuming, using SpyHunter is the recommended method. SpyHunter is an advanced anti-malware tool that detects and eliminates Trojan infections effectively.

Step 1: Download SpyHunter

Use the following official link to download SpyHunter: Download SpyHunter

For full instructions on how to install, follow this page: Official SpyHunter Download Instructions

---

Step 2: Install SpyHunter

1. Locate the SpyHunter-Installer.exe file in your Downloads folder.
2. Double-click the installer to begin setup.
3. Follow the on-screen prompts to complete the installation.

---

Step 3: Scan Your System

1. Open SpyHunter.
2. Click Start Scan Now.
3. Let the program detect all threats, including Trojan components.

---

Step 4: Remove Detected Malware

1. After the scan, click Fix Threats.
2. SpyHunter will automatically quarantine and remove all identified malicious components.

---

Step 5: Restart Your Computer

Restart your system to ensure all changes take effect and the threat is completely removed.

---

Tips to Prevent Future Trojan Infections

• Avoid downloading pirated software or opening unknown email attachments.
• Only visit trusted websites and avoid clicking on suspicious ads or pop-ups.
• Use a real-time antivirus solution like SpyHunter for ongoing protection.
• Keep your operating system, browsers, and software up to date.

Conclusion

Greedy Sponge is a sophisticated and highly targeted threat aimed at financial systems, particularly in Mexico. Its use of a custom AllaKore RAT and stealthy proxy infrastructure makes it an advanced cybercriminal operation. Organizations must stay vigilant with strong endpoint protection, network monitoring, and employee phishing awareness. Immediate malware removal using SpyHunter is strongly recommended to eliminate infections and restore system integrity.