Poco RAT Burrows Deep Into Mining Sector

Unidentified attackers are spreading a novel, credential-harvesting remote access trojan (RAT) that spies on environments and can deliver further malware, so far targeting mainly the mining and manufacturing sector in Latin America.

Dubbed Poco RAT for its use of the popular POCO C++ libraries as an evasion tactic, the malware is spreading in an email campaign that was first discovered hitting one unnamed LATAM company hard in the mining sector. That company has received 67% of the campaign's email volume, according to Cofense, whose researchers discovered the malware and published a report today. However, since then, Poco RAT (whose name also contains the Spanish word for "a little") has targeted manufacturing, hospitality, and utility organizations, in that order.

Emails used to propagate the RAT follow a consistent pattern, which make it easy to follow the campaign's scurrying, the researchers noted. Both the subject and message body are in Spanish and use finance themes — such as claiming to involve invoices — to lure users. Inside the email are malicious Google Drive and HTML files, where unwitting targets will find Poco RAT nesting.

"Threat actors often use legitimate file hosting services such as Google Drive to bypass secure email gateways (SEGs)," a tactic leveraged by various actors and advanced persistent threat (APT) groups over the years, according to the report.

Attackers used three methods to ultimately achieve this same delivery result. Most of the messages hid the Poco RAT payload either via a direct link to a 7zip archive hosted on Google Drive, while about 40% used a malicious HTML file with an embedded link that then downloads a 7zip archive hosted on Google's service. Meanwhile, about 7% of the messages use an attached PDF file to ultimately download the 7zip archive hosted on Google Drive, the researchers found.

A Novel Malware's Functionality & Evasion Tactics

Poco RAT is a custom-built malware focused on anti-analysis, communicating with its command-and-control server (C2), and downloading and running files, which so far have been used to monitor the environment, harvest credentials, or deliver ransomware, according to Cofense.

The malware shows consistent behavior across victims, establishing persistence upon execution typically via a registry key. It then launches the legitimate process, grpconv.exe, which only has a few ways in which it can legitimately run on a modern Windows OS, the researchers noted.

The executable itself is written in the Delphi programming language and sometimes packed via UPX, with "an unusual amount of Exif metadata included in each executable," according to Cofense. The metadata typically includes a random company name, internal name, original file name, product name, legal copyrights and trademarks, and various version numbers.

Once executed, the Poco RAT connects and communicates to a static C2, and is connected to at least one of three ports: 6541, 6542, or 6543. Unless an infected computer has a geolocation in Latin America, the C2 won't respond to the RAT's attempts to communicate.

If the infected computer appears to be in Latin America, the RAT then sets up communications, sending basic information about the technology environment and downloading and executing files to deliver other malware.

In addition to using Google Drive links to elude email security, Poco RAT also uses its reliance on the cross-platform, open source POCO C++ libraries, which are used for adding network functionality to desktop and mobile apps. Their use by the RAT makes it "less likely to be detected than if the malware were to use its own custom code or a less widely used library," according to Cofense.

Detection & Mitigation for Poco RAT

To detect and mitigate Poco RAT, it's pertinent for organizations to focus on the threat actor's use of Google Drive links, according to Cofense.

"If SEGs and defenses are tuned to treat Google Drive links as illegitimate ... the vast majority of Poco RAT campaigns can be easily prevented," according to the report.

Cofense recommends blocking and tracking all network traffic to the C2 address, 94.131.119.126, which will detect and stop "every currently known instance" of the RAT. In case attackers shift to a different C2 in the future, organizations also can set defenses to alert when grpconv.exe is run, which is "something that rarely happens legitimately," to prevent Poco RAT from compromising their systems, according to Cofense.