Spanish language victims are the target of an email phishing campaign that delivers a new remote access trojan (RAT) called Poco RAT since at least February 2024.
The attacks primarily single out mining, manufacturing, hospitality, and utilities sectors, according to cybersecurity company Cofense.
“The majority of the custom code in the malware appears to be focused on anti-analysis, communicating with its command-and-control center (C2), and downloading and running files with a limited focus on monitoring or harvesting credentials,” it said.
Infection chains begin with phishing messages bearing finance-themed lures that trick recipients into clicking on an embedded URL pointing to a 7-Zip archive file hosted on Google Drive.
Other methods observed include the use of HTML or PDF files directly attached to the emails or downloaded via another embedded Google Drive link. The abuse of legitimate services by threat actors is not a new phenomenon as it allows them to bypass secure email gateways (SEGs).
The HTML files propagating Poco RAT, in turn, contain a link that, upon clicking, leads to the download of the archive containing the malware executable.
“This tactic would likely be more effective than simply providing a URL to directly download the malware as any SEGs that would explore the embedded URL would only download and check the HTML file, which would appear to be legitimate,” Cofense noted.
The PDF files are no different in that they also contain a Google Drive link that harbors Poco RAT.
Once launched, the Delphi-based malware establishes persistence on the compromised Windows host and contacts a C2 server in order to deliver additional payloads. It’s so named owing to its use of the POCO C++ Libraries.
The use of Delphi is a sign that the unidentified threat actors behind the campaign are focusing on Latin America, which is known to be targeted by banking trojans written in the programming language.
This connection is strengthened by the fact that the C2 server does not respond to requests originating from infected computers that are not geolocated to the region.
The development comes as malware authors are increasingly using QR codes embedded with PDF files to trick users into visiting phishing pages that are designed to harvest Microsoft 365 login credentials.
It also follows social engineering campaigns that use deceptive sites advertising popular software to deliver malware such as RATs and information stealers like AsyncRAT and RisePro.
Similar data theft attacks have also targeted internet users in India with bogus SMS messages falsely claiming of package delivery failures and instructing them to click on a provided link to update their details.
The SMS phishing campaign has been attributed to a Chinese-speaking threat actor called Smishing Triad, which has a history of using compromised or purposefully registered Apple iCloud accounts (e.g., “fredyma514@hlh-web.de”) to send smishing messages for carrying out financial fraud.
“The actors registered domain names impersonating the India Post around June, but were not actively using them, likely preparing for a large-scale activity, which became visible by July,” Resecurity said. “The goal of this campaign is to steal massive amounts of personal identifiable information (PII) and payment data.”
