Spanish language victims are being targeted by a phishing email campaign that delivers a new remote access trojan (RAT) called A little RAT at least from February 2024.
According to the cyber security company Cofense, attacks primarily affect mining, manufacturing, hospitality and utilities.
“Most of the custom code in the malware appears to focus on anti-analysis, communication with the control center (C2), and downloading and running files with limited emphasis on monitoring or credential harvesting,” it said. said.
Infection chains begin with phishing messages carrying financial-themed lures that trick recipients into clicking on an embedded URL that points to a 7-Zip archive file located on Google Drive.
Other observed methods include using HTML or PDF files directly attached to emails or uploaded via another embedded Google Drive link. The abuse of legitimate services by threat actors is not a new phenomenon as it allows them to bypass Secure Email Gateways (SEGs).
The HTML files distributed by the Poco RAT, in turn, contain a link that, when clicked, downloads an archive containing the malware’s executable file.
“This tactic is likely to be more effective than simply providing a URL to directly download the malware, as any SEGs that probe the embedded URL will only download and inspect the HTML file, which appears to be legitimate,” he noted. Coffens.
The PDFs are no different in that they also contain a link to a Google Drive containing the Poco RAT.
Once launched, the Delphi-based malware resides on a compromised Windows host and communicates with the C2 server to deliver additional payloads. It is named so because of its use POCO C++ Libraries.
The use of Delphi is a sign that the unidentified threat actors behind the campaign are focused on Latin America, which of course be targeted by banking trojans written in a programming language.
This connection is strengthened by the fact that the C2 server does not respond to requests coming from infected computers that are not located in the geographic region.
The development takes place together with the authors of the malware increasingly used QR codes embedded in PDF files to trick users into visiting phishing pages designed to collect Microsoft 365 login credentials.
It also stems from social engineering companies using fraudulent sites promoting popular software to deliver malware such as RATs and information stealers such as AsyncRAT and RisePro.
Similar data theft attacks have also targeted internet users in India with fake SMS messages falsely claiming that a package has not been delivered and asking them to click on a provided link to update their details.
The SMS phishing campaign has been attributed to a Chinese-language threat actor named The smiling triadwho has a history of using compromised or intentionally registered Apple iCloud accounts (eg “fredyma514@hlh-web.de”) to send abusive messages to commit financial fraud.
“The actors registered domain names under the guise of India Post around June but did not actively use them, likely in preparation for the large-scale activity that became visible in July,” Resecurity said. “The goal of this campaign is to steal massive amounts of personally identifiable information (PII) and payment data.”
