Hackers have found a new way to infiltrate systems and deliver malware effectively by weaponizing 7zip files. These archived files are being used to hide malicious content, making it challenging for antivirus programs to detect threats.
In early 2024, researchers at Cofense discovered a new type of malware called Poco RAT. This malware specifically targeted individuals who spoke Spanish and worked in the Mining industry. The initial delivery method was through a Google Drive-hosted 7zip archive focusing on file execution, anti-analysis, and C2 communication.
By the second quarter of 2024, Poco RAT had expanded its reach to four different sectors, with mining being its primary target, accounting for 67% of campaigns targeting a single company.
Poco RAT is characterized by its custom code, which is focused on basic RAT functionality rather than extensive monitoring or credential harvesting. The attacks conducted by Poco RAT maintain consistency in their Tactics, Techniques, and Procedures (TTPs).
The distribution of Poco RAT is done through 7zip archives containing executables, delivered through three methods: direct Google Drive URLs in emails (53%), links embedded in HTML files (40%), and links within attached PDFs (7%). These tactics exploit legitimate file hosting services to evade Secure Email Gateways (SEGs).
The HTML method adds an extra layer of obfuscation by first downloading an HTML file that then links to the malware. The PDF method, although the rarest, is potentially the most effective at evading detection, as SEGs often overlook embedded URLs in PDFs.
This multi-layered approach demonstrates the sophistication of threat actors in leveraging various file types and hosting services to successfully deliver malware.
Poco RAT uses POCO C++ libraries and is a Delphi-based malware that arrives as an executable. Despite attempts to evade detection through metadata, the malware faces average detection rates of 38% for executables and 29% for archives.
The malware establishes persistence via registry keys, injects into legitimate processes, and communicates with a C2 server at a specific IP address on particular ports. Its primary functions include gathering environment information and downloading/executing additional malware, potentially leading to more severe compromises.
By using popular open-source libraries and legitimate processes, Poco RAT attempts to blend in with normal system operations to avoid detection.
Overall, the emergence of Poco RAT highlights the evolving tactics employed by hackers to bypass security measures and deliver malware. Organizations need to stay vigilant and enhance their cybersecurity measures to protect against such advanced threats.