The cybersecurity landscape is currently grappling with new threats as the group known as Dark Caracal has been linked to a sophisticated campaign deploying the remote access trojan (RAT) named Poco RAT. This recent wave of attacks primarily targets Spanish-speaking audiences in Latin America throughout 2024. The research findings, presented by the Russian cybersecurity firm Positive Technologies, characterize Poco RAT as a highly capable tool laden with advanced espionage functionalities.
The researchers, Denis Kazakov and Sergey Samokhin, detailed in a technical report that this malware can perform a variety of malicious actions, including uploading files, capturing screenshots, executing commands, and manipulating system processes. This level of capability suggests that organizations within the affected regions may be at significant risk of data breaches and operational disruption.
Poco RAT was earlier reported by Cofense in July 2024, which outlined phishing attacks aimed at sectors such as mining, manufacturing, hospitality, and utilities. These attacks utilize finance-themed social engineering tactics to initiate a multi-step malware deployment process, a technique that increases the likelihood of success in infiltrating targeted networks.
While the earlier attacks were not explicitly attributed to any specific threat actor, Positive Technologies was able to identify overlapping techniques consistent with the operational signature of Dark Caracal. This advanced persistent threat (APT) has been active since at least 2012, employing various malware families, including CrossRAT and Bandook. Notably, a previous espionage initiative called Bandidos in 2021 leveraged an updated version of Bandook to target Spanish-speaking nations in South America.
The latest campaign continues to hone in on Spanish-speaking users, deploying phishing emails themed around invoices that contain malicious attachments written in Spanish. Analysis indicates that the primary targets are enterprises located in Venezuela, Chile, the Dominican Republic, Colombia, and Ecuador. The attackers craft decoy documents impersonating legitimate businesses in diverse industries such as banking, healthcare, and logistics to enhance credibility and increase the likelihood of user engagement.
Upon interaction with these documents, victims are redirected to links that initiate downloads from established file-sharing services, like Google Drive or Dropbox. These downloads take the form of .rev archives, which are typically designed by WinRAR for reconstructing missing or corrupted files. However, in this context, the files are repurposed to conceal malware, aiding in evasion of detection by security measures.
Embedded within these archives is a Delphi-based dropper responsible for activating Poco RAT. Once initiated, the RAT establishes a connection with a remote server, granting adversaries comprehensive control over the compromised devices. The malware’s design incorporates POCO libraries within its C++ architecture, contributing to its nomenclature.
The functionalities of Poco RAT include capabilities for transmitting system data to the command-and-control (C2) server, capturing active window titles, executing external files, and taking screenshots, all of which point toward its use in extensive surveillance operations. However, researchers note that the RAT lacks a built-in persistence mechanism, implying that attackers may need to execute additional commands to maintain access to compromised systems or deliver primary payloads.
Organizations in the targeted regions must remain vigilant and enhance their cybersecurity posture to mitigate risks from such evolving threats. Understanding the potential tactics and techniques based on the MITRE ATT&CK framework, such as initial access and data exfiltration, can be instrumental in developing defensive strategies against these types of cyberattacks.
