July 11, 2024 at 06:39AM
A new email phishing campaign targeting Spanish language victims delivers a remote access trojan called Poco RAT since February 2024. The attacks primarily aim at mining, manufacturing, hospitality, and utilities sectors. The malware uses various tactics such as finance-themed lures and legitimate services abuse to evade detection. Additionally, the article details other related malware activities targeting Indian and Latin American users.
From the meeting notes, it is clear that there is an ongoing email phishing campaign targeting Spanish language victims with a new remote access trojan (RAT) called Poco RAT since at least February 2024. The attacks primarily focus on mining, manufacturing, hospitality, and utilities sectors.
The malware primarily focuses on anti-analysis, communicating with its command-and-control center (C2), and downloading and running files with a limited focus on monitoring or harvesting credentials. The infection chains begin with phishing messages bearing finance-themed lures that trick recipients into clicking on an embedded URL pointing to a 7-Zip archive file hosted on Google Drive.
Other methods observed include the use of HTML or PDF files directly attached to the emails or downloaded via another embedded Google Drive link. The malware establishes persistence on the compromised Windows host and contacts a C2 server in order to deliver additional payloads.
It’s noted that the threat actors behind the campaign are targeting Latin America, particularly by using Delphi-based malware, and are increasingly using QR codes embedded with PDF files to trick users into visiting phishing pages.
The meeting notes further mentioned social engineering campaigns in India and an SMS phishing campaign attributed to a threat actor called Smishing Triad, with the goal of stealing personal identifiable information (PII) and payment data.
Overall, the meeting notes provide clear insights into the tactics and targets of the ongoing email phishing campaign and related social engineering attacks.