Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Poco RAT (Trojan) – Malware

January 28, 2025
Reading Time: 3 mins read
in Malware
Poco RAT (Trojan) – Malware

Poco RAT

Type of Malware

Trojan

Date of initial activity

2024

Targeted Countries

Spain

Motivation

Financial gain

Attack Vectors

Phishing

Targeted Systems

Windows

Overview

In early 2024, a new malware campaign emerged, captivating the attention of cybersecurity experts worldwide: Poco RAT. This remote access Trojan (RAT) has quickly established itself as a significant threat, particularly targeting Spanish-speaking victims across various industries, with a notable emphasis on the mining sector. By leveraging innovative tactics and sophisticated delivery methods, Poco RAT exemplifies the evolving landscape of cyber threats, where attackers increasingly focus on specific demographics to enhance their chances of success. Poco RAT was first identified on February 7, 2024, and has since been associated with a series of well-coordinated phishing campaigns. These campaigns primarily utilize finance-themed emails in Spanish, designed to deceive recipients into downloading malicious files. The malware’s distribution often involves embedded links to 7zip archives hosted on reputable platforms like Google Drive, a tactic that allows cybercriminals to bypass traditional security measures such as Secure Email Gateways (SEGs). This cunning approach underscores the importance of vigilance among organizations, particularly those operating in sectors that have been historically targeted by cybercriminals. The operational methodology of Poco RAT reveals a concerning trend in cybercrime, as attackers exploit cultural and linguistic nuances to increase the effectiveness of their campaigns. The malware’s capabilities extend beyond simple remote access; it employs anti-analysis techniques to evade detection and can communicate with its Command and Control (C2) server to execute further malicious actions. With its targeted focus on the mining sector and an expanding scope that includes various other industries, Poco RAT is emblematic of the sophisticated strategies employed by modern threat actors.

Targets

Accommodation and Food Services Mining Manufacturing Individuals

How they operate

At its core, Poco RAT is delivered via phishing emails that entice recipients to download 7zip archives hosted on Google Drive. The initial delivery methods are notably varied, utilizing embedded links within the email body, HTML files, or even PDFs. This diversity not only facilitates the successful distribution of the malware but also helps it circumvent secure email gateways (SEGs) that might otherwise flag direct downloads as suspicious. Once the user executes the downloaded file, typically a Delphi-written executable, Poco RAT begins its operation by establishing persistence through registry keys, ensuring that it can remain active even after a system reboot. After achieving persistence, Poco RAT injects itself into a legitimate Windows process (specifically, grpconv.exe), allowing it to blend in with normal system activities and further evade detection. The malware then connects to its C2 server located at a specific IP address, using one of three designated ports: 6541, 6542, or 6543. This connection enables the malware to send back information about the infected environment and potentially receive further instructions or additional malware. Notably, communication with the C2 is geographically restricted, primarily targeting victims in Latin America, which reflects a focused operational strategy. In addition to its primary function as a RAT, Poco RAT possesses capabilities to download and execute other malicious payloads, including those designed for credential theft or data exfiltration. Its reliance on the POCO C++ libraries not only enhances its functionality but also makes it more challenging for traditional antivirus solutions to detect it, as these libraries are widely used in legitimate applications. Overall, Poco RAT exemplifies the growing sophistication of malware designed to exploit vulnerabilities in both human behavior and technical defenses, necessitating robust cybersecurity measures for effective mitigation.

MITRE Tactics and Techniques

Initial Access (TA0001):
Phishing (T1566): Poco RAT is delivered via phishing emails that contain links to 7zip archives hosted on platforms like Google Drive.
Execution (TA0002):
User Execution (T1203): Users execute the downloaded files, typically executable files within the 7zip archive, allowing the malware to run.
Persistence (TA0003):
Registry Run Keys / Startup Folder (T1547.001): Poco RAT establishes persistence by creating registry keys to ensure it runs at system startup.
Command and Control (C2) (TA0011):
Application Layer Protocol (T1071): After execution, Poco RAT connects to its C2 server (IP address: 94.131.119.126) over specific ports (6541, 6542, or 6543).
Credential Access (TA0006):
Input Capture (T1056): While not primarily focused on credential theft, Poco RAT can download additional malware designed for credential harvesting.
Collection (TA0009):
Data from Local System (T1005): Poco RAT can collect information about the operating environment and transmit this data back to the C2 server.
Defense Evasion (TA0005):
Obfuscated Files or Information (T1027): The use of extensive metadata and common libraries (POCO C++ libraries) makes detection more challenging. The malware also performs various checks to evade analysis.
References:
  • New Malware Campaign Targeting Spanish Language Victims
Tags: AmericaGoogle DriveHTMLMalwarePDFPhishingPoco RATRATRemote Access TrojanSpainTrojans
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial