VTA-004488 – Emerging Malware Campaign named Poco RAT Targeting Users
A new malware campaign targeting Spanish-speaking users, named Poco RAT. This Remote Access Trojan (RAT) primarily attacks the mining sector via phishing emails that link to 7zip archives on Google Drive. The malware focuses on anti-analysis techniques and communicates with a Command and Control server. It establishes persistence, injects into legitimate processes, and executes additional malicious payloads if the infected system is located in Latin America.
The malware campaign targeting Spanish-speaking users involves phishing emails with links to 7zip archives hosted on Google Drive. Once the user downloads and extracts the 7zip archive, a Remote Access Trojan (Poco RAT) is installed on their system. The Poco RAT employs sophisticated anti-analysis techniques to avoid detection by security software. The malware injects itself into legitimate processes on the system to establish persistence, ensuring it remains active even after reboots. The RAT establishes communication with a Command and Control server, allowing attackers to remotely control the infected system. If the infected system is located in Latin America, the malware executes additional malicious payloads specifically targeting this region, with a focus on the mining sector. The attackers can then perform various malicious activities, such as data theft, surveillance, or deploying additional malware.
Severity:
Medium
Attack Surface:
Email
Tactics:
Techniques:
T1110: Brute Force
T1027: Obfuscated Files or Information
T1566: Phishing
Indicator of Compromise:
https://otx.alienvault.com/pulse/6690c8807ff11ca659f2f1da
References:
1. https://cofense.com/blog/new-malware-campaign-targeting-spanish-language-victims/
SuperPRO’s Threat Countermeasures Procedures:
1. Keep all operating systems, applications, and plugins up to date to patch vulnerabilities.
2. Implement 2FA wherever possible to add an extra layer of security.
3. Regularly monitor and analyze network traffic for unusual activity or connections.
4. Deploy EDR solutions to detect and respond to suspicious activities on endpoints.
5. Use email filtering to block suspicious attachments and links.
Contributed by: Nabil