Scientists discover new malware targeting mining sector

Critical Infrastructure Security, Cybercrime, Fraud Management and Cybercrime

Remote access trojan ‘Poco RAT’ targets mining and manufacturing sectors, report says

Chris Riotta (@chrisriotta) •
July 10, 2024

Poco RAT targeted Spanish-speaking workers in the mining and manufacturing sectors. (Photo: Shutterstock)

Researchers have identified a new malware dubbed “Poco RAT” that primarily targets Spanish-speaking victims in the mining and manufacturing sectors in Latin America, according to a report published Wednesday by phishing threat management firm Cofense Intelligence.

See also: On Demand | Strengthen Your Cybersecurity with a Multi-Layered 3-2-1-0 Data Protection Strategy

Max Gannon, cyber threat manager at Cofense, told Information Security Media Group that a simple remote access Trojan has affected victims in the mining, manufacturing, hospitality and utilities industries. According to the report, the malware targets its victims via an email campaign that often includes financial themes and embedded links to zip archives containing executable files stored in Google Drive.

“This campaign bypassed multiple secure email gateways despite its simplistic and clearly — to a trained employee — malicious nature,” Gannon said. He added that many secure email gateways could be easily bypassed “using a combination of attachment types and embedded URLs” to malicious files hosted on popular file hosting services.

The Poco RAT got its name because it appears to use the POCO C++ library, a group of open-source C++ class libraries that simplify the development of portable web applications in C++. The malware contains custom code designed to evade detection while maintaining communication with the system’s command center to manage and control file operations, the report said, and also plays a secondary role in gathering credentials.

All of the targets were large corporations with offices in several Spanish-speaking countries, and the hackers sent the majority – 53% – of the malware via embedded URLs. Direct HTML links accounted for 40% of the overall delivery method for zip archives. PDFs made up the remaining 7%.

According to the report, the Poco RAT appears to be capable of delivering and downloading files that may contain additional malware, which features more specialized coding for ransomware and data collection campaigns. The initial malware campaign was first identified in early February. It initially targeted the mining sector, and eventually spread to four major sectors — utilities, hospitality, manufacturing, and mining — in the second quarter of the year.

The report says that threat actors have been using legitimate file hosting services like Google Drive to access victim networks for years, as the Poco RAT has done throughout its ongoing campaign. According to Cofense, the malware is delivered as an executable file with .exe file extension and contains metadata including random company names and other details such as version numbers and trademarks.

Gannon said the effectiveness of the newly identified malware in attacking a broad range of industries underscores the importance of raising awareness and security training for employees across sectors.

“Even if a trained employee falls for the emails and downloads the file, the caution instilled in them during training will likely cause them to notice that what was downloaded was an unusual and suspicious archive rather than the alleged PDF file,” he said.