A recent analysis found that Dark Caracal, a prolific spyware campaign of unknown hackers active for over a decade, has started using a new type of malware in recent attacks. According to Positive Technologies, this malware is called Poco RAT and has been utilized in a campaign targeting Spanish-speaking Latin American countries since 2022.
Read on to find out more about the malware and the threat group.
What is Dark Caracal?
First discovered by the Electronic Frontier Foundation (EFF) and the mobile security firm Lookout, Dark Caracal specializes in globalized cyber espionage with targets such as medical professionals, enterprises, journalists, educational institutions, and activists across more than 21 countries. Believed to have been operating since 2012, the type of data stolen during that time includes text messages, photos, account data, documents, call records, and audio recordings.
In a report from the EFF and Lookout in 2018, the group was believed to be operating from a building belonging to the Lebanese General Security Directorate in Beirut.
What you should know about Poco RAT
Poco RAT was discovered by analysts at the Positive Technologies Expert Security Center in early 2024. After studying it closely, they realized it resembled malware called Bandook, which is used frequently and exclusively by Dark Caracal. It was then that Poco RAT was linked to the group.
Poco RAT is a credential-stealing remote access trojan with a full range of espionage features, such as screenshot capture, file uploads, command execution and system process manipulation. Since 2022, Poco RAT has been targeting mining, manufacturing, and hotel sectors in Latin American countries like Venezuela, Chile, and Colombia.
The group uses phishing tactics to manipulate victims into downloading the malware, often posing as legitimate organizations in sectors like banking, manufacturing, and healthcare. When the victim clicks on the attached files, it triggers the download of a .rev archive from legitimate file-sharing services like Google Drive and Dropbox.
According to the researchers, .rev extension files are often used in this way by threat actors as they can be used as stealthy payload containers that evade security detection.
The takeaway
Let this come as a reminder that you should always be cautious when dealing with emails, especially those with attachments, featuring links or dubious login requests.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.