Introduction
Dark Caracal, a well-known cyber threat actor, has been linked to a recent cyber espionage campaign deploying Poco RAT, a remote access trojan (RAT) targeting Spanish-speaking enterprises in Latin America. According to cybersecurity firm Positive Technologies, this sophisticated malware is equipped with extensive espionage capabilities, allowing attackers to infiltrate and manipulate compromised systems. This report examines the nature of the attack, the malware's technical attributes, and its implications for organizations in the affected regions.
Characteristics of Poco RAT and Attack Methodology
Poco RAT, first documented by Cofense in July 2024, has been identified in phishing campaigns targeting sectors such as mining, manufacturing, hospitality, and utilities. The attack chains leverage finance-themed phishing lures, initiating a multi-stage infection process that ultimately deploys the malware.
Positive Technologies has attributed these recent attacks to Dark Caracal, a persistent cyber espionage group operational since at least 2012. The group's previous activities include deploying malware families such as CrossRAT and Bandook. In 2021, Dark Caracal orchestrated the "Bandidos" campaign, distributing an updated Bandook variant to Spanish-speaking nations in South America. The latest attacks maintain a similar focus, relying on invoice-themed phishing emails with malicious Spanish-language attachments.
Targeted Sectors and Infection Process
The malware campaign primarily targets enterprises in Venezuela, Chile, the Dominican Republic, Colombia, and Ecuador. The phishing emails are carefully crafted to appear as legitimate business communications, often impersonating banking, manufacturing, healthcare, pharmaceuticals, and logistics entities to enhance credibility.
Once a victim opens the attached document, they are redirected to a URL that downloads a .rev archive from reputable file-sharing platforms like Google Drive and Dropbox. These .rev files, originally designed for reconstructing damaged archive segments in WinRAR, are repurposed by attackers as stealthy malware delivery mechanisms to evade security detection.
Technical Capabilities of Poco RAT
The Poco RAT malware is executed via a Delphi-based dropper, which enables remote attackers to take full control of the compromised system. Named after the POCO libraries used in its C++ codebase, the malware provides extensive capabilities, including:
T-01 – Collecting and transmitting system data to a command-and-control (C2) server.
T-02 – Extracting and sending the active window title to the C2 server.
T-03 – Downloading and executing additional malicious payloads.
T-04 – Transferring files to the compromised machine.
T-05 – Capturing and exfiltrating screenshots.
T-06 – Executing system commands and relaying the output to the C2 server.
Unlike some advanced malware, Poco RAT lacks an inherent persistence mechanism. Instead, attackers may issue subsequent commands to establish persistence after the initial reconnaissance phase or use Poco RAT as an entry point for deploying more sophisticated payloads.
Conclusion
Dark Caracal's continued targeting of Spanish-speaking enterprises underscores the persistent threat of nation-state-backed cyber espionage. By leveraging Poco RAT and sophisticated phishing techniques, the group is effectively compromising critical sectors across Latin America. Organizations must remain vigilant by implementing robust cybersecurity measures, employee awareness programs, and threat intelligence capabilities to detect and mitigate such attacks. Given Dark Caracal's history and evolving tactics, proactive security strategies are essential to countering their sophisticated cyber operations.
0 Comments