Ethical Hacking News
A highly sophisticated piece of malware known as Poco RAT has been linked to a campaign by the threat actor Dark Caracal that targeted Spanish-speaking enterprises in Latin America. The attackers used phishing emails with invoice-related themes, decoy documents impersonating industry verticals, and repurposed files with .rev extension to evade security detection. This campaign highlights the importance of robust cybersecurity measures against evolving cyber threats.
The Poco RAT malware was linked to a Dark Caracal campaign targeting Spanish-speaking enterprises in Latin America. The attackers used phishing emails with invoice-related themes and decoy documents impersonating industry verticals to evade security detection. Poco RAT was repurposed as a stealthy payload container, helping malware evade security detection. Supported commands of Poco RAT included data collection, window title transmission, executable file download, and screenshot capture. The campaign targeted enterprises in Venezuela, Chile, the Dominican Republic, Colombia, and Ecuador.
The world of cyber espionage is filled with threats, and one such threat actor known as Dark Caracal has been linked to a campaign that utilized the Poco RAT remote access trojan (RAT) to target Spanish-speaking enterprises in Latin America. According to Russian cybersecurity company Positive Technologies, this campaign was discovered by the firm's researchers Denis Kazakov and Sergey Samokhin, who documented the malware in a technical report published last week.
The Poco RAT is a sophisticated piece of malware that was previously documented by Cofense in July 2024, detailing phishing attacks aimed at mining, manufacturing, hospitality, and utilities sectors. The infection chains were characterized by the use of finance-themed lures that triggered a multi-step process to deploy the malware. However, it wasn't until Positive Technologies identified tradecraft overlaps with Dark Caracal that the campaign's true nature was revealed.
Dark Caracal is an advanced persistent threat (APT) known for operating malware families like CrossRAT and Bandook. The cyber mercenary group has been linked to various cyber espionage campaigns over the years, including a notable one in 2021 where it delivered an updated version of the Bandook malware against Spanish-speaking countries in South America.
The latest campaign by Dark Caracal used phishing emails with invoice-related themes that bore malicious attachments written in Spanish as a starting point. An analysis of Poco RAT artifacts revealed that the intrusions were mainly targeting enterprises in Venezuela, Chile, the Dominican Republic, Colombia, and Ecuador.
The attackers employed decoy documents impersonating a wide range of industry verticals, including banking, manufacturing, healthcare, pharmaceuticals, and logistics. Upon opening these files, victims were redirected to links that triggered the download of a .rev archive from legitimate file-sharing services or cloud storage platforms like Google Drive and Dropbox.
Interestingly, threat actors repurposed files with the .rev extension as stealthy payload containers, helping malware evade security detection. Present within the archive was a Delphi-based dropper that launched Poco RAT, which in turn established contact with a remote server and granted attackers full control over compromised hosts.
Some of the supported commands by Poco RAT included T-01 - Send collected system data to the command-and-control (C2) server; T-02 - Retrieve and transmit the active window title to the C2 server; T-03 - Download and run an executable file; T-04 - Download a file to the compromised machine; T-05 - Capture a screenshot and send it to the C2 server; and T-06 - Execute a command in cmd.exe and send the output to the C2 server.
Researchers noted that Poco RAT did not come with a built-in persistence mechanism, meaning that once initial reconnaissance was complete, the server likely issued a command to establish persistence. Alternatively, attackers may have used Poco RAT as a stepping stone to deploy the primary payload.
The findings of this campaign serve as a stark reminder of the ever-evolving nature of cyber threats and the importance of robust cybersecurity measures. As Dark Caracal continues its shadowy campaigns, it is essential that enterprises in Latin America remain vigilant and take proactive steps to protect themselves against such threats.
A highly sophisticated piece of malware known as Poco RAT has been linked to a campaign by the threat actor Dark Caracal that targeted Spanish-speaking enterprises in Latin America. The attackers used phishing emails with invoice-related themes, decoy documents impersonating industry verticals, and repurposed files with .rev extension to evade security detection. This campaign highlights the importance of robust cybersecurity measures against evolving cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Shadowy-Campaign-Dark-Caracals-Poco-RAT-Malware-Attacks-Spanish-Speaking-Enterprises-in-Latin-America-ehn.shtml
https://thehackernews.com/2025/03/dark-caracal-uses-poco-rat-to-target.html
Published: Wed Mar 5 09:27:28 2025 by llama3.2 3B Q4_K_M
