Dark Caracal’s latest cyber operation uses Poco RAT, a sophisticated malware targeting Spanish-speaking regions in Latin America, primarily through phishing campaigns. The group employs clever methods to deliver malicious payloads, including trojanized attachments and cloud storage services. Affected: corporate networks, Spanish-speaking users, Latin America
Keypoints :
- Dark Caracal has launched a new campaign using the Poco RAT malware.
- The operation focuses on Spanish-speaking targets in Latin America.
- Poco RAT includes features like file uploading, command execution, and screenshot capture.
- The attack uses phishing emails with decoy documents to lure victims.
- Malware distribution is facilitated by cloud storage services, such as Google Drive and Dropbox.
- Decoy documents often impersonate financial organizations to appear legitimate.
- Dark Caracal employs techniques like process injection and obfuscation to evade detection.
- The group has been active since 2012, targeting various sectors, including government and military.
- Metadata from decoy documents provides insight into the group’s operational tactics.
- The campaign marks an increase in activity compared to previous years, indicating a strategic shift.
MITRE Techniques :
- T1608.001 – Resource Development: Dark Caracal uses legitimate cloud storage platforms for malware storage.
- T1566.001 – Initial Access: Phishing emails are sent with attachments leading to malware download.
- T1204.002 – Execution: Victims unknowingly launch Poco RAT by opening malicious files.
- T1055 – Privilege Escalation: The malware injects code into legitimate processes.
- T1027.013 – Defense Evasion: Poco RAT is obfuscated using encryption methods.
- T1132.001 – Command and Control: Dark Caracal encodes data sent to and from C2 servers.
- T1571 – Non-Standard Port: The group uses non-standard ports to communicate with infected devices.
Indicator of Compromise :
- [IP Address] 94.131.119.126
- [IP Address] 185.216.68.121
- [IP Address] 193.233.203.63
- [MD5] a5073df86767ece0483da0316d66c15cd0661df945e8e36aa78472d4b60e181
- [MD5] 2ecada671f172d4142e66e40d6d70b1b2d30ce50578b95eed8feb093e0b8170