New Poco RAT Weaponizing 7zip Files Using Google Drive

The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.

These archived files can hide malicious content, which makes it more difficult for antivirus programs to identify threats.

In early 2024, Cofense researchers discovered a new kind of malware known as Poco RAT that mainly targeted individuals who spoke Spanish and were employed in the Mining industry.

At first, it was delivered through a Google Drive-hosted 7zip archive focusing on file execution, anti-analysis, and C2 communication.

By Q2 2024, four sectors had been reached by Poco RAT; however, mining (67% of campaigns targeting one company) still remains its major objective.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Poco RAT Weaponizing 7zip

The malware is characterized by its custom code that’s narrow in scope and more focused on basic RAT functionality rather than extensive monitoring or credential harvesting. Besides this, the Poco RAT attacks maintain consistency in their TTPs.

Sectors targeted by email volume (Source – Cofense)

Here below, we have mentioned all the email features:-

  • Finance-themed content
  • Spanish language used
  • Links to Google Drive-hosted 7zip archives
  • Either direct links or embedded links in attached files
Email seen delivering Poco RAT via a Google Drive link (Source – Cofense)

Poco RAT is distributed through 7zip archives containing executables, delivered via three methods. Here below we have mentioned them:-

  • Direct Google Drive URLs in emails (53%)
  • Links embedded in HTML files (40%)
  • Links within attached PDFs (7%)

These tactics exploit legitimate file hosting services to bypass Secure Email Gateways (SEGs). 

The HTML method adds an extra layer of obfuscation by first downloading an HTML file that then links to the malware and reads the report.

Although the PDF method is the rarest, it’s potentially the most effective at evading detection, as SEGs often consider PDFs non-malicious and may miss embedded URLs. 

This multi-layered approach demonstrates the threat actors’ sophistication in leveraging various file types and hosting services to maximize successful malware delivery.

Poco RAT uses POCO C++ libraries, a Delphi-based malware that arrives as an executable.

Despite extensive metadata attempts to evade detection, it faces average detection rates of 38% for executables and 29% for archives.

The malware establishes persistence via registry keys, injects into the legitimate grpconv.exe process, and communicates with a C2 server at 94.131.119.126 on specific ports.

While its primary functions include gathering environment information, it can also download and execute additional malware, potentially leading to more severe compromises.

The malware’s use of popular open-source libraries and legitimate processes demonstrates its attempt to blend in with normal system operations.

“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces its…

11 hours ago

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券), a…

11 hours ago

UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series of…

11 hours ago

Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive ransomware,…

11 hours ago

Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access

In a recent cyberattack attributed to the Qilin ransomware group, threat actors successfully compromised a…

11 hours ago

Operation HollowQuill Uses Malicious PDFs to Target Academic and Government Networks

A newly uncovered cyber-espionage campaign, dubbed Operation HollowQuill, has been identified as targeting academic, governmental,…

11 hours ago