Critical Infrastructure Security , Cybercrime , Fraud Management & Cybercrime

Researchers Discover New Malware Aimed at Mining Sector

Remote Access Trojan 'Poco RAT' Targets Mining, Manufacturing Sectors, Says Report
Researchers Discover New Malware Aimed at Mining Sector
Poco RAT targeted Spanish-speaking workers in the mining and manufacturing sectors. (Image: Shutterstock)

Researchers have identified a new malware dubbed "Poco RAT" predominantly targeting Spanish-language victims in mining and manufacturing sectors across Latin America, according to a Wednesday report published by the phishing threat management firm Cofense Intelligence.

See Also: Panel Discussion | MITRE ATT&CK Framework: Seeing Through the Eyes of Your Attacker

Max Gannon, cyberthreat intelligence manager for Cofense, told Information Security Media Group the simple remote access Trojan has affected victims across the mining, manufacturing, hospitality and utilities industries. The malware targets its victims through an email campaign that often includes financial themes and embedded links to zip archives containing executables stored in Google Drive, according to the report.

"This campaign bypassed multiple secure email gateways despite its simplistic and clearly - to the trained employee - malicious nature," Gannon said. He added that many secure email gateways can be easily bypassed "by using combinations of attachment types and embedded URLs" to malicious files hosted on popular file hosting services.

Poco RAT was given its name because it seems to use the POCO C++ Library, a group of open-source C++ class libraries that simplify the development of network-centric portable applications in C++. The malware includes custom code designed to evade detection while maintaining communication with the system's command center in order to manage and control file operations, the report says, along with playing a secondary role in credential harvesting.

All of the targets were large corporations with branches in several Spanish-speaking countries, and hackers sent the majority - 53% - of malware through embedded URLs. Direct HTML links made up 40% of the overall delivery method of zip archives. PDFs made up the remaining 7%.

Poco RAT appears capable of delivering and downloading files that may contain additional malware that features more specialized coding for ransomware and data harvesting campaigns, according to the report. The initial malware campaign was first identified in early February. It initially targeted the mining sector and eventually spread across four majority sectors - utilities, hospitality, manufacturing and mining - throughout the second quarter of the year.

The report says threat actors over the years have used legitimate file hosting services such as Google Drive to gain access to victim networks, as Poco RAT has done throughout its ongoing campaign. According to Cofense, the malware is delivered as an executable with an .exe file extension and contains metadata that includes random company names and other details such as version numbers and trademarks.

Gannon said the newly identified malware's success in targeting a broad range of industries highlights the importance of awareness and security training for employees across sectors.

"Even if a trained employee were to fall for the emails and download the file, the caution ingrained in them by training would likely make them notice the fact that an unusual and suspicious archive was downloaded rather than the claimed PDF," he said.


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.