Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Agent Raccoon. Show all posts

Hackers Use This New Malware to Backdoor Targets in Middle East, Africa and U.S

 

Various entities in the Middle East, Africa, and the United States have fallen victim to an unidentified threat actor orchestrating a campaign involving the dissemination of a recently discovered backdoor named Agent Racoon. According to Chema Garcia, a researcher at Palo Alto Networks Unit 42, the malware is crafted using the .NET framework and exploits the domain name service (DNS) protocol to establish a covert communication channel, facilitating diverse backdoor functionalities.

The targeted organizations hail from a range of sectors, including education, real estate, retail, non-profit, telecommunications, and government. Despite the lack of attribution to a specific threat actor, the campaign is suspected to be state-sponsored due to discernible victimology patterns and the utilization of sophisticated detection and defense evasion techniques. Palo Alto Networks is monitoring this threat cluster under the label CL-STA-0002. The exact method of infiltration and the timeline of the attacks remain unclear at this point.

The adversary employs additional tools alongside Agent Racoon, such as a customized version of Mimikatz named Mimilite and a novel utility known as Ntospy. The latter utilizes a custom DLL module implementing a network provider to pilfer credentials for a remote server. Notably, while Ntospy is employed across the affected organizations, Mimilite and Agent Racoon are specifically found in the environments of non-profit and government-related organizations.

Agent Racoon, executed through scheduled tasks, enables the execution of commands, uploading and downloading of files, all while camouflaging itself as Google Update and Microsoft OneDrive Updater binaries. The command-and-control (C2) infrastructure linked to the implant dates back to at least August 2020, with the earliest sample of Agent Racoon uploaded to VirusTotal in July 2022.

Unit 42's investigation revealed instances of successful data exfiltration from Microsoft Exchange Server environments, resulting in the theft of emails matching various search criteria. The threat actor has also been observed harvesting victims' Roaming Profile. Despite these findings, the tool set associated with this campaign has not been definitively linked to a specific threat actor and appears to extend beyond a single cluster or campaign, according to Garcia.