The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.
These archived files can hide malicious content, which makes it more difficult for antivirus programs to identify threats.
In early 2024, Cofense researchers discovered a new kind of malware known as Poco RAT that mainly targeted individuals who spoke Spanish and were employed in the Mining industry.
At first, it was delivered through a Google Drive-hosted 7zip archive focusing on file execution, anti-analysis, and C2 communication.
By Q2 2024, four sectors had been reached by Poco RAT; however, mining (67% of campaigns targeting one company) still remains its major objective.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
Poco RAT Weaponizing 7zip
The malware is characterized by its custom code that’s narrow in scope and more focused on basic RAT functionality rather than extensive monitoring or credential harvesting. Besides this, the Poco RAT attacks maintain consistency in their TTPs.
Here below, we have mentioned all the email features:-
- Finance-themed content
- Spanish language used
- Links to Google Drive-hosted 7zip archives
- Either direct links or embedded links in attached files
Poco RAT is distributed through 7zip archives containing executables, delivered via three methods. Here below we have mentioned them:-
- Direct Google Drive URLs in emails (53%)
- Links embedded in HTML files (40%)
- Links within attached PDFs (7%)
These tactics exploit legitimate file hosting services to bypass Secure Email Gateways (SEGs).
The HTML method adds an extra layer of obfuscation by first downloading an HTML file that then links to the malware and reads the report.
Although the PDF method is the rarest, it’s potentially the most effective at evading detection, as SEGs often consider PDFs non-malicious and may miss embedded URLs.
This multi-layered approach demonstrates the threat actors’ sophistication in leveraging various file types and hosting services to maximize successful malware delivery.
Poco RAT uses POCO C++ libraries, a Delphi-based malware that arrives as an executable.
Despite extensive metadata attempts to evade detection, it faces average detection rates of 38% for executables and 29% for archives.
The malware establishes persistence via registry keys, injects into the legitimate grpconv.exe process, and communicates with a C2 server at 94.131.119.126 on specific ports.
While its primary functions include gathering environment information, it can also download and execute additional malware, potentially leading to more severe compromises.
The malware’s use of popular open-source libraries and legitimate processes demonstrates its attempt to blend in with normal system operations.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo