A recent phishing effort in the Spanish-speaking community involves the distribution of a novel remote access trojan (RAT) named Poco RAT, starting from February 2024.
The sectors most heavily targeted include mining, manufacturing, hospitality, and utilities, as identified by cybersecurity firm Cofense.
“The malware’s custom coding predominantly addresses evasion of analysis, communication with its command-and-control (C2) server, and the download and execution of files, with less emphasis on credential monitoring or harvesting,” the report stated.
The infection process begins with phishing emails that masquerade as financial notifications, urging recipients to click on a URL embedded within. This link directs them to a 7-Zip archive hosted on Google Drive.
Other observed tactics involve attachments of HTML or PDF files directly to emails, or downloading them via a Google Drive link embedded in the email. This exploitation of legitimate services allows threat actors to bypass secure email gateways (SEGs).
The HTML files harboring Poco RAT include a link that, once clicked, initiates the download of an archive containing the malware executable.
“This approach could potentially evade SEGs that only scan the embedded URL and download the seemingly benign HTML file,” Cofense noted.
Similarly, PDF attachments also include a Google Drive link housing Poco RAT.
Once activated, this Delphi-based malware establishes persistence on infected Windows machines and connects to a C2 server to deliver additional malicious payloads. Its name derives from its use of the POCO C++ Libraries.
The usage of Delphi suggests a focus on Latin American targets by the unidentified threat actors, consistent with the region’s history of banking trojan attacks written in the same programming language.
This link is reinforced by the fact that the C2 server ignores requests from infected computers not geolocated within the region.
This development occurs amid rising trends where malware creators employ QR codes embedded within PDF files to lure users into phishing pages designed to harvest Microsoft 365 credentials.
It follows a pattern of social engineering tactics using deceptive websites promoting popular software, which deliver malware such as RATs and data stealers like AsyncRAT and RisePro.
Similar attacks targeting internet users in India involved fraudulent SMS messages falsely claiming package delivery failures, directing recipients to click on links to update their details.
Attributed to a Chinese-speaking group called the Smishing Triad, this SMS phishing campaign utilized compromised or deliberately registered Apple iCloud accounts like “[email protected]” to conduct financial fraud.
“The actors registered domain names impersonating India Post around June, though they remained inactive, likely preparing for a broader operation that became evident by July,” stated Resecurity. “The objective of this campaign is to steal substantial volumes of personally identifiable information (PII) and payment data.”