The majority of the custom code in the malware appears to be focused on anti-analysis, communicating with its command-and-control center (C2), and downloading and running files with a limited focus on monitoring or harvesting credentials.
Infection chains start with finance-themed phishing emails leading to Google Drive-hosted 7-Zip archive files, or attachments like HTML or PDF files, to avoid email gateways.
HTML and PDF files contain Google Drive links to download Poco RAT, with the tactic of embedding links within files to evade detection by secure email gateways.
Poco RAT, a Delphi-based malware, establishes persistence on Windows systems, contacts C2 servers for additional payloads, and reflects a focus on targeting Latin America by employing POCO C++ Libraries.
[
Collection
]
[
|
...
]