Threat Research

[Cyware] New Malware Campaign Targeting Spanish Language Victims

Cyware

Cofense identifies Poco RAT, a Remote Access Trojan targeting Spanish-language victims in the mining sector, delivered via Google Drive-hosted 7zip archives. The campaign emphasizes anti-analysis, C2 communication, and downloading/running payloads, with limited credential harvesting. #PocoRAT #GoogleDrive #7zip #MiningSector #SpanishLanguageVictims #Cofense

Keypoints

  • Poco RAT is a new Remote Access Trojan targeting Spanish-language victims in the mining sector.
  • Delivery uses embedded links to 7zip archives hosted on Google Drive.
  • Campaigns are ongoing and exhibit consistent tactics, techniques, and procedures (TTPs).
  • The malware emphasizes anti-analysis, C2 communication, and downloading/running files, with limited credential harvesting.
  • Poco RAT was first identified and categorized on 2024-02-07.
  • While first aimed at mining, Poco RAT expanded to additional sectors by mid-2024.

MITRE Techniques

  • [T1566.002] Spearphishing Link – Emails delivered with Google Drive links embedding 7zip archives; ‘The emails were finance themed, having both a subject and message body indicating as such.’
  • [T1105] Ingress Tool Transfer – Downloads a 7zip archive containing the Poco RAT executable from Google Drive; ’embedded Google Drive link to download a 7zip archive containing the Poco RAT executable.’
  • [T1055] Process Injection – Injects into grpconv.exe and connects to its Command and Control (C2) location; ‘injects into grpconv.exe and connects to its Command and Control (C2) location.’
  • [T1547.001] Registry Run Keys/Startup Folder – Establishes persistence, typically via a registry key; ‘establishes persistence, typically via a registry key.’
  • [T1497] Virtualization/Sandbox Evasion – Anti-analysis techniques including checks for a debug environment, user input checks, and long sleeps; ‘anti-analysis, checking for a debug environment, checking for user input, and having long sleeps.’
  • [T1027] Obfuscated/Compressed Files and Information – UPX packing observed in some payloads; ‘sometimes UPX packed.’
  • [T1071] Application Layer Protocol – C2 communications with a remote server at 94.131.119.126 over ports 6541/6542/6543; ‘C2 location … 94.131.119.126 … ports: 6541, 6542, or 6543.’

Indicators of Compromise

  • [IP Address] C2 endpoint – 94.131.119.126
  • [Port] C2 ports – 6541, 6542, 6543
  • [Domain] Hosting service – drive.google.com
  • [File] Archive delivering payload – 7zip archive containing the Poco RAT executable

Read more: https://cofense.com/blog/new-malware-campaign-targeting-spanish-language-victims

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint