Security researchers at Palo Alto Networks Unit 42 have identified a new and sophisticated threat actor targeting organizations across the Middle East, Africa, and the United States. The malicious campaign revolves around a newly discovered backdoor named Agent Racoon.
The malware, crafted using the .NET framework, utilizes the domain name service (DNS) protocol to establish a covert channel, enabling various backdoor functionalities. According to Chema Garcia, a researcher at Palo Alto Networks Unit 42, the attacks have affected a wide range of sectors, including education, real estate, retail, non-profits, telecom, and government entities.
"This malware family is written using the .NET framework and leverages the domain name service (DNS) protocol to create a covert channel and provide different backdoor functionalities." - Chema Garcia, Palo Alto Networks Unit 42
The nature of the attacks suggests a nation-state alignment, as indicated by the victimology pattern and the utilization of advanced detection and defense evasion techniques. The specific method of breaching these organizations and the timeline of the attacks remain unclear at this point.
The cybersecurity firm has labeled this threat cluster as CL-STA-0002. Notably, the attacks involve the deployment of additional tools, including a customized version of Mimikatz called Mimilite and a new utility named Ntospy. The latter employs a custom DLL module to implement a network provider, facilitating the theft of credentials to a remote server.
Agent Racoon, executed through scheduled tasks, enables command execution, file uploading, and downloading. It cleverly disguises itself as Google Update and Microsoft OneDrive Updater binaries, making detection more challenging for security measures.
"While the attackers commonly used Ntospy across the affected organizations, the Mimilite tool and the Agent Racoon malware have only been found in nonprofit and government-related organizations' environments." - Chema Garcia, Palo Alto Networks Unit 42
Notably, the command-and-control (C2) infrastructure associated with the Agent Racoon implant dates back to at least August 2020. The earliest sample of the malware was uploaded in July 2022, based on an examination of VirusTotal submissions.
Unit 42 researchers also uncovered evidence of successful data exfiltration from Microsoft Exchange Server environments, resulting in the theft of emails matching different search criteria. Additionally, the threat actor has been found to harvest victims' Roaming Profile.
"This tool set is not yet associated with a specific threat actor, and not entirely limited to a single cluster or campaign." - Chema Garcia, Palo Alto Networks Unit 42
The cybersecurity community is actively monitoring the situation, and organizations are urged to enhance their security measures and stay vigilant against this evolving threat landscape.
Comments
Post a Comment