Recent media reports have stated that Spanish victims have now become the target of an email phishing campaign. The Poco RAT attacks campaign is known for delivering a new remote access trojan since February 2024.

As of now, various industries including mining, manufacturing, utilities, and hospitality, are the prime targets. In this article, we’ll dive deep into the attacks and learn how they play out in a real-world scenario. Let’s begin!

Uncovering The Poco RAT Attacks

The Poco RAT attacks, analyzed by a cyber security firm, Cofense, are a significant threat when it comes to banking trojans in Latin America. In a detailed report, the cyber security agency claims that most of the code used in the custom malware is focused on two key aspects of the attack that include:

1. Anti-analysis.
2. Communication with the command-and-control center (C2).
3. Downloading and running files with emphasis on either monitoring or credential harvesting.

The Remote Access Trojan’s Infection Chain

As per the information made available, the infection chain of the Poco RAT attacks initiates with phishing emails. These emails are finance-themed, contain a message body and subject line, and are written in Spanish.

The overall intent of these maliciously fabricated emails is to trick recipients into clicking on an embedded URL. When a target user clicks on the embedded URL, they’re redirected to a Google Drive containing a 7-Zip file.

Other methods that were observed include PDF or HTML files attached directly to the email or those that could be downloaded via another Google Drive link. The HTML file within these emails contains an additional link which, if clicked upon, initiates the malware download.

Providing further insights into such attack tactics, Cofense has stated that:

“This tactic would likely be more effective than simply providing a URL to directly download the malware as any SEGs that would explore the embedded URL would only download and check the HTML file, which would appear to be legitimate.”

It’s worth mentioning here that such an approach is paramount to the Poco RAT threat actors and others. Since the approach entails the use of legitimate services, cybercriminals are less likely to encounter challenges pertaining to bypassing secure email gateways allowing them to carry out malicious intents with ease.

Delphi-based Malware Attack Capabilities

The malware has been developed by unidentified threat actors using the Delphi programming language. Once the Poco RAT malware is launched it establishes persistence on the targeted device. After that it initiates contact with a C2 server allowing it to deliver additional payloads.

What’s worth noting here is that the C2 server doesn’t respond to requests coming from an infected computer that’s not in the target region. Such attack tactics serve as a testament to the danger that prevails due to social engineering campaigns using deceptive platforms to advertise software intended for malicious purposes.

Conclusion

The Poco RAT phishing campaign demonstrates sophisticated tactics, leveraging legitimate services like Google Drive to evade detection. Targeting Spanish-speaking sectors with finance-themed lures, this Delphi-based malware establishes persistence and communicates with C2 servers. Such attacks now necessitate the use of robust cybersecurity measures that ensure protection and lower exposure to risk.

The sources for this piece include articles in The Hacker News and TechNadu.

The post Spanish-Speaking Victims Targeted In Poco RAT Attacks appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/spanish-speaking-victims-targeted-in-poco-rat-attacks/