July 10, 2024 at 11:03AM
Unidentified attackers are propagating a novel credential-harvesting remote access trojan, dubbed Poco RAT, mainly targeting sectors in Latin America. Using email campaigns with Spanish-themed finance lures and Google Drive links, the malware evades email gateways. It is built for anti-analysis, communication with a C2 server, and file delivery, while relying on the POCO C++ libraries for evasion. Organizations can detect and prevent Poco RAT by focusing on the threat actor’s use of Google Drive links and tracking network traffic to the C2 address, 94.131.119.126.
From the provided meeting notes, it is clear that there is an emerging threat posed by the Poco RAT malware targeting organizations, primarily in the mining and manufacturing sector in Latin America. This malware is being propagated through an email campaign using Spanish-language emails with finance themes, luring users to open malicious Google Drive and HTML files where the Poco RAT is nested.
The Poco RAT is a custom-built malware designed for anti-analysis, communication with a command-and-control server (C2), and downloading and running files to monitor environments, harvest credentials, or deliver ransomware. It shows consistent behavior across victims, establishing persistence via a registry key and leveraging legitimate processes to avoid detection. The use of Google Drive links and the POCO C++ libraries as an evasion tactic makes it less likely to be detected by traditional security measures.
To detect and mitigate the Poco RAT, organizations are advised to focus on the threat actor’s use of Google Drive links and to block and track network traffic to the known C2 address. Additionally, defenses should be set to alert when legitimate processes are run to prevent the compromise of systems.
It is essential for organizations, especially those in Latin America, to be vigilant and take proactive measures to protect their systems against this evolving threat.