The threat actor, known as Dark Caracal, was attributed to a campaign in 2024 that deployed a remote access trojan called Poco Rat in an attack targeting Spanish-speaking targets in Latin America.
The findings are from the Russian cybersecurity company’s positive technology, and the malware is described as loaded with a “spionage set of features.”
“You can upload files, capture screenshots, execute commands, and operate system processes,” Denis Kazakov and Sergey Samokhin said in a technical report published last week.
Poco Rat was previously recorded by Cofense in July 2024, detailing phishing attacks aimed at the mining, manufacturing, hospitality and utility sectors. Infection chains are characterized by the use of financial-themed lures that trigger a multi-step process for deploying malware.
The campaign wasn’t attributed to the threats of the time, but it said Positive Technology has identified a duplicate product with Dark Caracal, an advanced permanent threat (APT) known for running malware families such as Crossrat and Bandook. It has been in operation since at least 2012.
In 2021, the Cybermercists group was tied up with a bandid called the Cyberspy Campaign, which provided an updated version of Bandok malware for Spanish-speaking countries in South America.
The latest set of attacks continues to focus on Spanish-speaking users, leveraging phishing emails on invoice-related topics that are responsible for malicious attachments written in Spanish as the starting point. Analysis of Pokorat’s artifacts shows that invasions primarily target companies in Venezuela, Chile, the Dominican Republic, Colombia and Ecuador.
The attached decoy document impersonates verticals for a wide range of industries, including banking, manufacturing, medical, pharmaceuticals, logistics, and more, in an attempt to believe the scheme a little more.
When opened, the file redirects the victim to a link that triggers downloading of the .rev archive from legitimate file sharing services, such as Google Drive or Dropbox, or from cloud storage platforms.
“Files with the .rev extension were generated using Winrar and were originally designed to rebuild missing or corrupt volumes in multipart archives,” the researchers explained. “Threat actors can reuse them as stealth payload vessels, helping malware avoid security detection.”
In the archive, there is a Delphi-based Dropper responsible for launching Poco Rat. This allows you to establish contact with a remote server and have full control over the host compromised by the attacker. Malware retrieves names from using the POCO library in the C++ codebase.
Some of the supported commands by Poco Rat are listed below –
T-01 – Send collected system data to the Command and Control (C2) server T-02 – Get and send active window title to C2 server T-03 – Download and run executable file T-04.
“Pokorats do not have built-in persistence mechanisms,” the researchers said. “After the initial reconnaissance is complete, the server may issue commands to establish tenacity. Alternatively, an attacker can deploy the main payload using Poco Rat as a stepping stone.”
Source link
