Threat Research

The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT

PTsecurity-ESC
The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT

Dark Caracal’s latest cyber operation uses Poco RAT, a sophisticated malware targeting Spanish-speaking regions in Latin America, primarily through phishing campaigns. The group employs clever methods to deliver malicious payloads, including trojanized attachments and cloud storage services. Affected: corporate networks, Spanish-speaking users, Latin America

Keypoints :

  • Dark Caracal has launched a new campaign using the Poco RAT malware.
  • The operation focuses on Spanish-speaking targets in Latin America.
  • Poco RAT includes features like file uploading, command execution, and screenshot capture.
  • The attack uses phishing emails with decoy documents to lure victims.
  • Malware distribution is facilitated by cloud storage services, such as Google Drive and Dropbox.
  • Decoy documents often impersonate financial organizations to appear legitimate.
  • Dark Caracal employs techniques like process injection and obfuscation to evade detection.
  • The group has been active since 2012, targeting various sectors, including government and military.
  • Metadata from decoy documents provides insight into the group’s operational tactics.
  • The campaign marks an increase in activity compared to previous years, indicating a strategic shift.

MITRE Techniques :

  • T1608.001 – Resource Development: Dark Caracal uses legitimate cloud storage platforms for malware storage.
  • T1566.001 – Initial Access: Phishing emails are sent with attachments leading to malware download.
  • T1204.002 – Execution: Victims unknowingly launch Poco RAT by opening malicious files.
  • T1055 – Privilege Escalation: The malware injects code into legitimate processes.
  • T1027.013 – Defense Evasion: Poco RAT is obfuscated using encryption methods.
  • T1132.001 – Command and Control: Dark Caracal encodes data sent to and from C2 servers.
  • T1571 – Non-Standard Port: The group uses non-standard ports to communicate with infected devices.

Indicator of Compromise :

  • [IP Address] 94.131.119.126
  • [IP Address] 185.216.68.121
  • [IP Address] 193.233.203.63
  • [MD5] a5073df86767ece0483da0316d66c15cd0661df945e8e36aa78472d4b60e181
  • [MD5] 2ecada671f172d4142e66e40d6d70b1b2d30ce50578b95eed8feb093e0b8170

Full Story: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/the-evolution-of-dark-caracal-tools-analysis-of-a-campaign-featuring-poco-rat