Actor threats known as Dark Caracal was associated with a company that launched a remote access titled by Poco Rat when attacking Hispanic purposes in Latin America in 2024.
The resulting data come from the Russian cybersecurity company of positive technologies that described malicious software loaded with a “full set of espionage”.
“It can download files, record screenshots, execute teams and manipulate systems,” – researchers Denis Kazakov and Sergei Samokhin – Note In a technical report published last week.
Poco rat was Previously documented Coffense in July 2024, which details the phishing attacks aimed at mining, production, hospitality and utilities. The infection networks are characterized by the use of bait with the topic of financing, which cause a multi -stage process to deploy malware.
While the company at the time did not explain the threat Dark Caracal. Crossrat and Bandook. It has been operating at least since 2012.
In 2021, the cyber -naval group was challenged To the cyber-spying company, called Bandidos, which delivered the updated version of the Bandook malicious software against Hispanic countries of South America.
The latest set of attacks continues to focus on Hispanic users, using phishing-leaf-related accounts that carry malicious investments written in Spanish as a starting point. The analysis of the Poco rat artifacts shows that the invasion is mainly focused on enterprises in Venezuela, Chile, the Dominican Republic, Colombia and Ecuador.
The attached documents representing themselves represent themselves a wide range of branch verticals, including banking, production, health care, pharmaceuticals and logistics, in an attempt to borrow a slightly more plausibility scheme.
When opening, the files redirect the victims to the link that launches the archive .Rev from legitimate file distribution services or cloud platforms such as Google Drive and Dropbox.
“Files with .Rev expansion generated by Winrar and were originally designed to reconstruct the missing or damaged volumes in multi-storey archives,” the researchers explained. “The actors threaten them as hidden containers of useful load, helping malicious software to evade security.”
The archive contains a dropper based on Delphi, which is responsible for launching a POCO RAT, which in turn establishes contact with a remote server and gives the attackers full control over the compromised hosts. Malicious software gets its name from using POCO libraries in its C ++ database.
Some of the supported Poco Rat commands below –
- T-01-RECEIVED SYSTEM SYSTEM SYSTEMS TO THE SEVER Teams and Control (C2)
- T -02 – Getting and transfer an active window header to C2 server
- T -03 – Download and run the executed file
- T -04 – Download the file on a compromised machine
- T -05 – Fix the screenshot and send it to the C2 server
- T -06 – Complete the command in cmd.exe and send the exit to the C2 server
“The Poco rat does not go with the built-in persistence,” the researchers said. “Once the initial exploration is complete, the server probably issues a perseverance team, or attackers can use Poco Rat as a step to deploy the main useful load.”
