Russian Government and IT Firms Receive Spear-Phishing Emails with Trojans and Backdoors
Published on August 12, 2024
A simple Remote Access Trojan (RAT) called Poco RAT that targets Spanish-language victims via email phishing was identified by Cofense security researchers, who first noticed the trojan in early 2024. The ongoing email campaigns deliver malware via 7zip archives containing Google Drive executables. Â
The threat actors mainly target companies in the mining sector, but manufacturing, hospitality, and utilities sectors are also affected.Â
The phishing emails generally employ finance-themed lures in Spanish that include malicious links or HTML or PDF attachments with links to 7zip archives hosted on Google Drive, which contain the Poco RAT executable.Â
The links leading to the download of the 7zip archives would be hidden behind a file within a file to evade detection from Secure Email Gateways (SEGs), especially by using legitimate file hosting services like Google Drive.
Emails with an embedded Google Drive link leading to downloading an HTML file that provides a link to download a 7zip archive confuse SEGs, which would only check an apparently legitimate HTML file while exploring the embedded URL.
Once the RAT is executed, it establishes persistence via a registry key and launches and injects into the legitimate grpconv.exe process, which does not usually run legitimately on modern Windows OS.Â
The malware connects to its C2 server, which does not respond to communication attempts unless the infected computer’s geo-location is in Latin America. The server can communicate basic information about the environment and download and execute files.
Poco RAT employs cross-platform open-source POCO C++ libraries, which are commonly used for adding network functionality to desktop and mobile apps, making malware detection less likely.Â
The executable written in Delphi, sometimes UPX packed, has an unusual amount of Exif metadata that includes random vectors like Company Name, Internal Name, Original File Name, Product Name, Legal Copyrights and Trademarks, and version numbers.
Most of the malware’s custom code focuses on anti-analysis, C2 communication, and downloading and running files, showing limited interest in monitoring or harvesting credentials.
RATs were seen distributed via various pirated software, including cracked versions of Microsoft Office and Windows downloaded from torrent websites.