New Poco RAT Weaponizing 7zip Files Using Google Drive

The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.

These archived files can hide malicious content, which makes it more difficult for antivirus programs to identify threats.

In early 2024, Cofense researchers discovered a new kind of malware known as Poco RAT that mainly targeted individuals who spoke Spanish and were employed in the Mining industry.

At first, it was delivered through a Google Drive-hosted 7zip archive focusing on file execution, anti-analysis, and C2 communication.

By Q2 2024, four sectors had been reached by Poco RAT; however, mining (67% of campaigns targeting one company) still remains its major objective.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Poco RAT Weaponizing 7zip

The malware is characterized by its custom code that’s narrow in scope and more focused on basic RAT functionality rather than extensive monitoring or credential harvesting. Besides this, the Poco RAT attacks maintain consistency in their TTPs.

Sectors targeted by email volume (Source – Cofense)

Here below, we have mentioned all the email features:-

  • Finance-themed content
  • Spanish language used
  • Links to Google Drive-hosted 7zip archives
  • Either direct links or embedded links in attached files
Email seen delivering Poco RAT via a Google Drive link (Source – Cofense)

Poco RAT is distributed through 7zip archives containing executables, delivered via three methods. Here below we have mentioned them:-

  • Direct Google Drive URLs in emails (53%)
  • Links embedded in HTML files (40%)
  • Links within attached PDFs (7%)

These tactics exploit legitimate file hosting services to bypass Secure Email Gateways (SEGs). 

The HTML method adds an extra layer of obfuscation by first downloading an HTML file that then links to the malware and reads the report.

Although the PDF method is the rarest, it’s potentially the most effective at evading detection, as SEGs often consider PDFs non-malicious and may miss embedded URLs. 

This multi-layered approach demonstrates the threat actors’ sophistication in leveraging various file types and hosting services to maximize successful malware delivery.

Poco RAT uses POCO C++ libraries, a Delphi-based malware that arrives as an executable.

Despite extensive metadata attempts to evade detection, it faces average detection rates of 38% for executables and 29% for archives.

The malware establishes persistence via registry keys, injects into the legitimate grpconv.exe process, and communicates with a C2 server at 94.131.119.126 on specific ports.

While its primary functions include gathering environment information, it can also download and execute additional malware, potentially leading to more severe compromises.

The malware’s use of popular open-source libraries and legitimate processes demonstrates its attempt to blend in with normal system operations.

“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

16 hours ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

20 hours ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

20 hours ago

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…

20 hours ago

Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials

A surge in phishing text messages claiming unpaid tolls has been linked to a massive…

20 hours ago

State Bar of Texas Confirms Data Breach, Begins Notifying Affected Consumers

The State Bar of Texas has confirmed a data breach following the detection of unauthorized…

20 hours ago