Corporate networks in Spanish-speaking Latin American countries are targeted

Following their analysis of the Poco RAT malware, experts from Positive Technologies' Threat Intelligence team at the PT Expert Security Center (PT ESC) discovered that the cybercriminal group Dark Caracal, active since 2012, had updated its tools and attack tactics. Previously, the backdoor was not attributed to any known group. However, further analysis allowed experts to link the attacks to Dark Caracal.

Throughout 2024, PT Expert Security Center's internal cyber intelligence systems recorded a campaign using Poco RAT—a backdoor that allows hackers to gain remote control of a victim's device. The attacks were aimed at Spanish-speaking users, as evidenced by the language of the phishing emails and the content of the malicious attachments. The main countries from which hackers uploaded malware samples to public sandboxes were Chile, Colombia, the Dominican Republic, and Venezuela. 

A victim received an email reminding them to pay a bill. The email included an attachment containing a decoy document, with its name disguised to mimic a financial relationship between the victim and a legitimate organization. Such decoy files were not detected by antivirus software and had a blurred (fuzzy) appearance, which prompted inexperienced users to open the document, after which a .rev archive was automatically downloaded. It contained a dropper¹ with a name that matched the decoy document, further reinforcing the victim's trust. The main task of the dropper was to prepare and launch Poco RAT without leaving traces on the disk. 

Dark Caracal hacks government and military structures, activists, journalists, and commercial organizations upon request. Their primary tool for conducting attacks is the Bandook remote access trojan, a malware used exclusively by the group. 

Interestingly, the distribution of Bandook samples stopped exactly when PT ESC specialists started detecting Poco RAT samples. Poco RAT has functional similarities to Bandook and uses similar network infrastructure. 

Denis Kazakov, Cybersecurity Intelligence Specialist at PT ESC's TI team, explained: "We believe this campaign is a continuation of Dark Caracal's activities and reflects its efforts to adapt to modern security measures. Over the past eight months (since June 2024), 483 malicious Poco RAT samples have been identified—significantly more than the 355 Bandook samples detected between February 2023 and September 2024. This increase may suggest a shift in the group's tactics and a transition to mass mailings using a new tool."

Sandbox solutions, such as PT Sandbox, can effectively detect Poco RAT. Network activity of Poco RAT and Bandook in a compromised system can also be identified using network traffic analysis (NTA) tools, such as PT NAD. Next-generation firewall (NGFW) products, like PT NGFW, can further disrupt the communication of malware with attackers' command-and-control servers. To detect and respond to such threats in a timely manner, companies can rely on endpoint protection systems, such as MaxPatrol EDR, along with employee training on safe email practices and strategies to counter social engineering techniques. The online service PT Knockin helps companies assess whether their email security solutions can withstand attacks involving Poco RAT.