An unknown group of attackers has been identified as the source of a new remote access trojan (RAT) that specializes in stealing credentials and spying on networks, with the potential to deliver additional malware. This malicious software, named Poco RAT due to its use of the POCO C++ libraries as a means of evasion, has primarily targeted companies in the mining and manufacturing sectors in Latin America.
Initially discovered in an email campaign that heavily impacted an undisclosed entity in the Latin American mining industry, the Poco RAT has since expanded its reach to other sectors such as manufacturing, hospitality, and utilities. The email campaign used by the attackers follows a distinct pattern, with messages in Spanish focusing on financial themes like invoices to entice recipients. These emails contain malicious Google Drive and HTML files that serve as carriers for the Poco RAT.
According to Cofense researchers, who have published a detailed report on the malware, the use of legitimate file hosting services like Google Drive has become a common tactic among threat actors to bypass secure email gateways. The distribution methods employed by the attackers varied, including direct links to 7zip archives, embedded links in HTML files, and attachments with PDF files, all leading to the download of the Poco RAT.
The functionality and evasion tactics of the Poco RAT are designed to avoid detection and facilitate communication with a command-and-control server (C2) for carrying out various malicious activities. Upon execution, the malware establishes persistence through a registry key and launches the grpconv.exe process, which has limited legitimate use on modern Windows operating systems. The Delphi-coded executable contains an abundance of Exif metadata, each instance tailored with random corporate details to obfuscate its origins.
In terms of communication, the Poco RAT links to a static C2 through specific port numbers, responding only to infected devices located in Latin America. Once connected, the RAT transmits system data and proceeds to download and execute files for further malware delivery. To enhance its stealth capabilities, the malware leverages the widely used POCO C++ libraries, reducing the likelihood of detection compared to custom-coded alternatives.
For organizations looking to detect and counteract the Poco RAT, focusing on blocking Google Drive links and monitoring network traffic to the identified C2 address is recommended. By proactively tracking the C2’s IP address and setting up alerts for suspicious activities like the execution of grpconv.exe, potential instances of the RAT can be intercepted before causing harm. This proactive approach is crucial in safeguarding systems against evolving threats like the Poco RAT.