Introduction
A recent email phishing campaign has been identified, targeting Spanish-speaking individuals across various sectors, including mining, manufacturing, hospitality, and utilities. This campaign delivers a new remote access trojan (RAT) known as Poco RAT. According to cybersecurity firm Cofense, these attacks have been ongoing since at least February 2024.
Overview of Poco RAT Campaign
Targeted Sectors
The primary targets of this phishing campaign are organizations within the mining, manufacturing, hospitality, and utilities industries. This focused attack strategy suggests a deliberate effort to compromise critical sectors.
Malware Characteristics
Poco RAT is distinctive due to its custom code, which emphasizes anti-analysis measures, communication with command-and-control (C2) servers, and the downloading and execution of additional files. Interestingly, it shows limited functionality in terms of credential monitoring or harvesting.
Infection Methodology
Phishing Techniques
The infection chains typically start with phishing emails that use finance-themed lures to deceive recipients into clicking on embedded URLs. These URLs lead to a 7-Zip archive file hosted on Google Drive. Other observed methods include HTML or PDF files attached to the emails or linked to Google Drive.
Abuse of Legitimate Services
Threat actors exploit legitimate services such as Google Drive to bypass secure email gateways (SEGs). HTML files linked in the phishing emails contain URLs that, when clicked, download the malware-laden archive. This tactic helps evade SEG detection, as these gateways might only inspect the HTML files, which appear legitimate.
Malware Deployment
Execution and Persistence
Upon launching the 7-Zip archive, the Delphi-based Poco RAT malware establishes persistence on the compromised Windows system and contacts its C2 server to fetch additional payloads. The malware's use of the POCO C++ Libraries is the origin of its name.
Target Region Focus
The campaign is geographically targeted, focusing on Latin America. This is evident as the C2 server does not respond to requests from computers located outside the targeted region. The use of Delphi programming language, popular in Latin America for banking trojans, further supports this regional focus.
Broader Implications and Similar Attacks
QR Code Phishing
The rise of QR code phishing, where QR codes embedded in PDF files direct users to phishing pages, is another trend in malware distribution. These pages are designed to steal Microsoft 365 login credentials.
Social Engineering Campaigns
There have been other social engineering campaigns that use fake sites promoting popular software to distribute RATs and information stealers like AsyncRAT and RisePro.
Smishing Attacks in India
In a similar vein, a phishing campaign in India involved SMS messages falsely claiming package delivery failures. Recipients were instructed to click on a link to update their details. This campaign, attributed to the Chinese-speaking threat actor Smishing Triad, aimed to harvest personal identifiable information (PII) and payment data.
Conclusion
The email phishing campaign targeting Spanish speakers with Poco RAT represents a significant threat to critical sectors. By exploiting legitimate services and focusing on regional targets, the threat actors behind this campaign demonstrate sophisticated tactics. Awareness and vigilance are essential to defend against such evolving cybersecurity threats.
0 Comments