Poco RAT Malware Targets Spanish-Speaking Mining Companies
A new and insidious malware threat, dubbed Poco RAT, has emerged, targeting Spanish-speaking companies, primarily within the mining sector across Latin America. This sophisticated Remote Access Trojan (RAT), first identified in early 2024 by cybersecurity firm Cofense, is designed to infiltrate corporate networks and establish a backdoor for malicious actors.
Email seen delivering Poco RAT via a Google Drive link embedded within image in the email body
The malware’s distribution primarily occurs through deceptive email campaigns disguised as financial communications. These emails often contain links to malicious 7zip archives hosted on Google Drive, which, when opened, unleash the Poco RAT payload.
While initially focused on the mining sector, Cofense’s report reveals that Poco RAT malware has expanded its reach into other industries, including manufacturing, hospitality, and utilities. Notably, one prominent company has borne the brunt of these attacks, accounting for a staggering 67% of all Poco RAT campaigns observed.
Poco RAT is notable for its anti-analysis features and reliance on the POCO C++ libraries, which aid in evading detection. Despite its efforts, the RAT executables faced an average detection rate of 38%, with archives at 29%. The malware’s extensive use of metadata and checks for debugging environments contributed to its anti-detection strategies.
Delivered as a Delphi-written executable (.exe), Poco RAT often includes excessive Exif metadata, ranging from random company names to version numbers. Upon execution, it establishes persistence via registry keys and injects into the legitimate Windows process grpconv.exe, which is rarely used in modern systems. The malware then connects to its Command and Control (C2) server, located at 94[.]131[.]119[.]126, communicating over ports 6541, 6542, or 6543.
Interestingly, Poco RAT’s C2 communication is selective, responding only to infected systems geolocated in Latin America. This selective approach may indicate a focused attack strategy or an attempt to evade broader detection.
As Poco RAT continues to evolve and spread, businesses must remain vigilant and bolster their defenses to safeguard their critical assets and data.
