The objective of an email phishing drive is to target Spanish-speaking individuals with a brand-new remote access trojan dubbed Poco RAT since at least February 2024.
According to cybersecurity firm Cofense, the assaults primarily zone in on the mining, manufacturing, hospitality, and utilities industries.
“The majority of the unique code in the malware is aimed at thwarting analysis, communicating with its command-and-control center (C2), and fetching and executing files with a restricted emphasis on monitoring or collecting credentials,” as per their statement.
The beginnings of the infection chains involve phishing messages containing finance-related baits that deceive targets into clicking on an embedded URL that directs to a 7-Zip archive file stored on Google Drive.
Other tactics noted include the deployment of HTML or PDF documents directly appended to the emails or acquired via an alternate embedded Google Drive link. The misuse of legitimate services by threat actors is not an unfamiliar occurrence as it grants them the ability to evade secure email gateways (SEGs).
The HTML files distributing Poco RAT, in return, encompass a link that, upon activation, leads to the retrieval of the archive harboring the malware executable.
“This ploy is anticipated to have a greater impact than simply furnishing a URL to directly obtain the malware since any SEGs that inspect the embedded URL would only fetch and assess the HTML file, which would appear genuine,” as highlighted by Cofense.
The PDF files follow a similar pattern as they also hold a Google Drive link that shelters Poco RAT.
Once executed, the Delphi-based malware establishes persistence on the compromised Windows system and communicates with a C2 server to distribute additional payloads. The nomenclature is derived from its utilization of the POCO C++ Libraries.
The adoption of Delphi indicates that the unidentified threat actors driving the campaign are honing in on Latin America, which has been identified as a preferred target for banking trojans scripted in the aforementioned programming language.
This affiliation is underscored by the fact that the C2 server remains unresponsive to requests coming from infected computers not geographically located within the region.
The progression coincides with malware writers increasingly leveraging QR codes embedded within PDF files to deceive individuals into visiting phishing sites intended to harvest Microsoft 365 credentials, as revealed.
Furthermore, social engineering ploys have been observed where fraudulent websites advertising popular software are utilized to distribute malware like RATs and data pilferers such as AsyncRAT and RisePro.
Alike data exfiltration operations have also impacted web users in India, with spurious SMS messages falsely asserting delivery failures and prompting them to tap a specified link to update their particulars.
The SMS phishing campaign has been linked to a Chinese-speaking threat entity known as Smishing Triad, known for leveraging compromised or intentionally registered Apple iCloud accounts (e.g., “fredyma514@hlh-web.de”) to dispatch smishing messages for executing financial scams.
“The perpetrators registered domain names impersonating the India Post around June but were dormant, potentially preparing for an extensive operation, noticeable by July,” as stated by Resecurity imparted. “The scheme aims to acquire vast amounts of personal identifiable information (PII) and payment data.”
About Author
