close
close

Poco RAT enters deep into mining sector

Posted on by darion

Unidentified attackers are spreading a new Remote Access Trojan (RAT) that harvests credentials. The Trojan spies on environments and can install malware. For now, it is primarily targeting the mining and manufacturing sectors in Latin America.

The malware, dubbed Poco RAT due to its use of popular POCO C++ libraries as an evasion tactic, is spreading in email campaign which was first discovered hitting hard at one unnamed LATAM company in the mining sector. That company received 67% of the campaign’s email volume, according to Cofense, whose researchers discovered the malware and published a report today. But since then, the Poco RAT (whose name also includes the Spanish word for “little”) has targeted manufacturing, hospitality and utility organizations, in that order.

The emails used to propagate the RAT follow a consistent pattern, making it easy to track the campaign’s momentum, researchers noted. Both the subject line and body of the emails are in Spanish and use financial themes — such as claiming to be about invoices — to lure users. Inside the emails are malicious google drive and HTML files where unwitting targets will find the Poco RAT nested.

“Threat actors often use legitimate file hosting services such as google drive to bypass Secure Email Gateways (SEGs) – a tactic used by various actors and advanced persistent threat groups (APTs) over the years, according to report.

The attackers used three methods to ultimately achieve the same delivery result. Most of the messages hid the Poco RAT payload either via a direct link to a 7zip archive hosted on Google Drive, while about 40% used a malicious HTML file with an embedded link that then downloaded a 7zip archive hosted on Google. Meanwhile, about 7% of the messages used an attached PDF file to ultimately download a 7zip archive hosted on Google Drive, researchers found.

Functionality and tactics to avoid new malware

Poco RAT is a specially crafted piece of malware whose primary role is to protect against analysis, communicate with a command and control (C2) server, and download and execute files. So far, according to Cofense, the software has been used to monitor the environment, collect credentials, or deliver ransomware.

The malware exhibits consistent behavior across all victims, establishing persistence once it’s launched, typically via a registry key. It then launches a legitimate process, grpconv.exe, which has only a few ways it can legitimately run on a modern Windows operating system, researchers noted.

The executable itself is written in the Delphi programming language and sometimes packaged using UPX, with “an extraordinary amount of Exif metadata included in each executable,” according to Cofense. The metadata typically includes a random company name, internal name, original file name, product name, legal copyrights and trademarks, and various version numbers.

Once launched, the Poco RAT connects and communicates with a static C2 and is connected to at least one of three ports: 6541, 6542, or 6543. If the infected computer is not geolocated in Latin America, the C2 will not respond to the RAT’s communication attempts.

If the infected computer is located in Latin America, the RAT establishes a connection, sending basic information about the technological environment and downloading and executing files to spread other malware.

In addition to using Google Drive links to bypass email security, the Poco RAT also benefits from its reliance on the cross-platform, open-source POCO C++ libraries, which are used to add networking functionality to desktop and mobile apps. Their use by the RAT makes it “less likely to be detected than if the malware used its own custom code or a less widely used library,” according to Cofense.

Detection and mitigation for Poco RAT

According to Cofense, to detect and mitigate Poco RAT attacks, organizations should focus on how attackers use Google Drive links.

“If SEGs and defenses are configured to treat Google Drive links as illegal… the vast majority of Poco RAT Campaigns “This could have been easily prevented,” the report says.

Cofense recommends blocking and tracking all network traffic to the C2 address, 94.131.119.126, which will detect and stop “any currently known instance” of the RAT. In case attackers move to a different C2 in the future, organizations can also set the defense to alert when grpconv.exe is launched, which is “something that rarely happens legally,” to prevent the Poco RAT from compromising their systems, according to Cofense.