Full Report
The threat actor known as Dark Caracal has been attributed to a campaign that deployed a remote access trojan called Poco RAT in attacks targeting Spanish-speaking targets in Latin America in 2024. The findings come from Russian cybersecurity company Positive Technologies, which described the malware as loaded with a "full suite of espionage features." "It could upload files, capture screenshots
Analysis Summary
# Threat Actor: Dark Caracal
## Attribution & Identity
* **Identification:** Advanced Persistent Threat (APT) actor known as Dark Caracal.
* **Associated Groups/History:** Operational since at least 2012. Previously tied to the "Bandidos" cyber espionage campaign in 2021. Known for deploying malware families like CrossRAT and Bandook.
## Activity Summary
* **Recent Campaign (2024):** Deployed the Poco RAT in attacks targeting Spanish-speaking enterprises in Latin America.
* **Methodology:** Infection chains typically involve phishing emails using finance-themed lures (e.g., invoices) written in Spanish. The lure triggers a multi-step process to deploy the malware.
* **Payload Delivery:** Attachments redirect victims to a link that downloads a `.rev` archive (a repurposed WinRAR volume file used as a stealthy container) from legitimate file-sharing services (Google Drive, Dropbox). This archive contains a Delphi-based dropper that launches Poco RAT.
## Tactics, Techniques & Procedures
* **Initial Access:** Phishing emails with malicious attachments disguised as invoices.
* **Execution/Defense Evasion:** Use of `.rev` extensions generated by WinRAR as payload containers to evade security detection.
* **Command and Control:** Establishing contact with a remote server via Poco RAT to gain full control over compromised hosts.
* **Capabilities (Poco RAT):** Full suite of espionage features, including uploading files, capturing screenshots, executing commands, and manipulating system processes.
* Specific command listed: T-01 (Send collected system data to C2).
* **Malware Used:** Poco RAT (Remote Access Trojan), CrossRAT, Bandook.
## Targeting
* **Sectors:** Banking, manufacturing, healthcare, pharmaceuticals, logistics, mining, hospitality, and utilities (based on previous/related activity and current campaign).
* **Geography:** Spanish-speaking countries in Latin America, specifically mentioning Venezuela, Chile, the Dominican Republic, Colombia, and Ecuador.
* **Victims:** Enterprises within the targeted sectors in the specified Latin American countries.
## Tools & Infrastructure
* **Malware Families Used:** Poco RAT, CrossRAT, Bandook.
* **Infrastructure & Delivery:** Legitimate file-sharing services/cloud storage platforms utilized for hosting the `.rev` payload containers (e.g., Google Drive, Dropbox).
* **Dropper:** Delphi-based dropper used to launch Poco RAT.
## Implications
Dark Caracal remains an active and sophisticated cyber espionage entity focused on Spanish-speaking organizations in Latin America. Their continued use of file-sharing services and repurposing of legitimate file formats (`.rev`) indicates a persistent effort to evade modern endpoint detection mechanisms while maintaining full remote control capabilities via advanced RATs like Poco RAT.
## Mitigations
* Implement robust email filtering capable of analyzing sophisticated lures and attachments, particularly those related to invoices.
* Increase scrutiny and implement controls around opening files downloaded from external sources, especially multi-part or unusual archive formats like `.rev`.
* Monitor egress traffic for suspicious connections initiated by newly executed processes, indicative of RAT callback activity.
* Maintain layered defenses capable of detecting known malware families associated with the actor (Poco RAT, Bandook, CrossRAT).