The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.
These archived files can hide malicious content, which makes it more difficult for antivirus programs to identify threats.
In early 2024, Cofense researchers discovered a new kind of malware known as Poco RAT that mainly targeted individuals who spoke Spanish and were employed in the Mining industry.
At first, it was delivered through a Google Drive-hosted 7zip archive focusing on file execution, anti-analysis, and C2 communication.
By Q2 2024, four sectors had been reached by Poco RAT; however, mining (67% of campaigns targeting one company) still remains its major objective.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
The malware is characterized by its custom code that’s narrow in scope and more focused on basic RAT functionality rather than extensive monitoring or credential harvesting. Besides this, the Poco RAT attacks maintain consistency in their TTPs.
Here below, we have mentioned all the email features:-
Poco RAT is distributed through 7zip archives containing executables, delivered via three methods. Here below we have mentioned them:-
These tactics exploit legitimate file hosting services to bypass Secure Email Gateways (SEGs).
The HTML method adds an extra layer of obfuscation by first downloading an HTML file that then links to the malware and reads the report.
Although the PDF method is the rarest, it’s potentially the most effective at evading detection, as SEGs often consider PDFs non-malicious and may miss embedded URLs.
This multi-layered approach demonstrates the threat actors’ sophistication in leveraging various file types and hosting services to maximize successful malware delivery.
Poco RAT uses POCO C++ libraries, a Delphi-based malware that arrives as an executable.
Despite extensive metadata attempts to evade detection, it faces average detection rates of 38% for executables and 29% for archives.
The malware establishes persistence via registry keys, injects into the legitimate grpconv.exe process, and communicates with a C2 server at 94.131.119.126 on specific ports.
While its primary functions include gathering environment information, it can also download and execute additional malware, potentially leading to more severe compromises.
The malware’s use of popular open-source libraries and legitimate processes demonstrates its attempt to blend in with normal system operations.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo
In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a colleague…
A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a grave…
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS) advisories…
A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with a…
In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA pages…
In a recent technical investigation, researchers uncovered critical insights into the infrastructure linked to a…