The menace actor often known as Darkish Caracal has been attributed to a marketing campaign that deployed a distant entry trojan known as Poco RAT in assaults concentrating on Spanish-speaking targets in Latin America in 2024.
The findings come from Russian cybersecurity firm Constructive Applied sciences, which described the malware as loaded with a “full suite of espionage options.”
“It might add recordsdata, seize screenshots, execute instructions, and manipulate system processes,” researchers Denis Kazakov and Sergey Samokhin mentioned in a technical report printed final week.
Poco RAT was beforehand documented by Cofense in July 2024, detailing the phishing assaults aimed toward mining, manufacturing, hospitality, and utilities sectors. The an infection chains are characterised by means of finance-themed lures that set off a multi-step course of to deploy the malware.
Whereas the marketing campaign was not attributed to any menace at the moment, Constructive Applied sciences mentioned it recognized tradecraft overlaps with Darkish Caracal, a sophisticated persistent menace (APT) recognized for working malware households like CrossRAT and Bandook. It is operational since at the least 2012.
In 2021, the cyber mercenary group was tied to a cyber espionage marketing campaign dubbed Bandidos that delivered an up to date model of the Bandook malware towards Spanish-speaking international locations in South America.
The most recent set of assaults proceed their give attention to Spanish-speaking customers, leveraging phishing emails with invoice-related themes that bear malicious attachments written in Spanish as a place to begin. An evaluation of Poco RAT artifacts signifies the intrusions are primarily concentrating on enterprises in Venezuela, Chile, the Dominican Republic, Colombia, and Ecuador.
The connected decoy paperwork impersonate a variety of business verticals, together with banking, manufacturing, healthcare, prescription drugs, and logistics, in an try to lend the scheme just a little extra believability.
When opened, the recordsdata redirect victims to a hyperlink that triggers the obtain of a .rev archive from official file-sharing providers or cloud storage platforms like Google Drive and Dropbox.
“Recordsdata with the .rev extension are generated utilizing WinRAR and have been initially designed to reconstruct lacking or corrupted volumes in multi-part archives,” the researchers defined. “Risk actors repurpose them as stealthy payload containers, serving to malware evade safety detection.”
Current throughout the archive is a Delphi-based dropper that is chargeable for launching Poco RAT, which, in flip, establishes contact with a distant server and grants attackers full management over compromised hosts. The malware will get its identify from using POCO libraries in its C++ codebase.
Among the supported instructions by Poco RAT are listed beneath –
- T-01 – Ship collected system information to the command-and-control (C2) server
- T-02 – Retrieve and transmit the lively window title to the C2 server
- T-03 – Obtain and run an executable file
- T-04 – Obtain a file to the compromised machine
- T-05 – Seize a screenshot and ship it to the C2 server
- T-06 – Execute a command in cmd.exe and ship the output to the C2 server
“Poco RAT doesn’t include a built-in persistence mechanism,” the researchers mentioned. “As soon as preliminary reconnaissance is full, the server probably points a command to ascertain persistence, or attackers could use Poco RAT as a stepping stone to deploy the first payload.”
