Poco RAT Burrows Deep Into Mining Sector

The novel malware targets Spanish-speaking users via malicious Google Drive links, and taps a popular C++ library to evade detection.

Unidentified attackers are spreading a novel, credential-harvesting remote access trojan (RAT) that spies on environments and can deliver further malware, so far targeting mainly the mining and manufacturing sector in Latin America.
Dubbed Poco RAT for its use of the popular POCO C++ libraries as an evasion tactic, the malware is spreading in an
email campaign
that was first discovered hitting one unnamed LATAM company hard in the mining sector. That company has received 67% of the campaigns email volume, according to Cofense, whose researchers discovered the malware and published a report today. However, since then, Poco RAT (whose name also contains the Spanish word for a little) has targeted manufacturing, hospitality, and utility organizations, in that order.
Emails used to propagate the RAT follow a consistent pattern, which make it easy to follow the campaigns scurrying, the researchers noted. Both the subject and message body are in Spanish and use finance themes — such as claiming to involve invoices — to lure users. Inside the email are malicious
Google Drive
and HTML files, where unwitting targets will find Poco RAT nesting.
Threat actors often use legitimate file hosting services such as
Google Drive
to bypass secure email gateways (SEGs), a tactic leveraged by various actors and advanced persistent threat (APT) groups over the years, according to
the report
.
Attackers used three methods to ultimately achieve this same delivery result. Most of the messages hid the Poco RAT payload either via a direct link to a 7zip archive hosted on Google Drive, while about 40% used a malicious HTML file with an embedded link that then downloads a 7zip archive hosted on Googles service. Meanwhile, about 7% of the messages use an attached PDF file to ultimately download the 7zip archive hosted on Google Drive, the researchers found.
Poco RAT is a custom-built malware focused on anti-analysis, communicating with its command-and-control server (C2), and downloading and running files, which so far have been used to monitor the environment, harvest credentials, or deliver ransomware, according to Cofense.
The malware shows consistent behavior across victims, establishing persistence upon execution typically via a registry key. It then launches the legitimate process, grpconv.exe, which only has a few ways in which it can legitimately run on a modern Windows OS, the researchers noted.
The executable itself is written in the Delphi programming language and sometimes packed via UPX, with an unusual amount of Exif metadata included in each executable, according to Cofense. The metadata typically includes a random company name, internal name, original file name, product name, legal copyrights and trademarks, and various version numbers.
Once executed, the Poco RAT connects and communicates to a static C2, and is connected to at least one of three ports: 6541, 6542, or 6543. Unless an infected computer has a geolocation in Latin America, the C2 wont respond to the RATs attempts to communicate.
If the infected computer appears to be in Latin America, the RAT then sets up communications, sending basic information about the technology environment and downloading and executing files to deliver other malware.
In addition to using Google Drive links to elude email security, Poco RAT also uses its reliance on the cross-platform, open source POCO C++ libraries, which are used for adding network functionality to desktop and mobile apps. Their use by the RAT makes it less likely to be detected than if the malware were to use its own custom code or a less widely used library, according to Cofense.
To detect and mitigate Poco RAT, its pertinent for organizations to focus on the threat actors use of Google Drive links, according to Cofense.
If SEGs and defenses are tuned to treat Google Drive links as illegitimate ... the vast majority of Poco
RAT campaigns
can be easily prevented, according to the report.
Cofense recommends blocking and tracking all network traffic to the C2 address, 94.131.119.126, which will detect and stop every currently known instance of the RAT. In case attackers shift to a different C2 in the future, organizations also can set defenses to alert when grpconv.exe is run, which is something that rarely happens legitimately, to prevent Poco RAT from compromising their systems, according to Cofense.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Poco RAT Burrows Deep Into Mining Sector