December 1, 2023 at 02:15PM
Agent Raccoon, a novel .NET malware used for espionage, targets organizations globally and is linked to nation-state actors by Unit 42. It masquerades as an updater, using DNS for covert communication and includes tools for credential theft and data exfiltration, with active development indicating evolving capabilities.
Meeting Takeaways:
1. A novel malware named ‘Agent Raccoon’ is actively being used in targeted cyberattacks against a variety of sectors across organizations in the United States, the Middle East, and Africa.
2. The attackers are believed to be nation-state actors, as suggested by the sectors targeted, techniques, tactics, and procedures (TTPs) used, and the customization of the tools involved in the attacks.
3. Unit 42 from Palo Alto Networks, which discovered the malware, has not yet confirmed which nation-state or threat group is responsible for the attacks.
4. The aims of the attackers appear to be espionage-based given the nature of the targets, the sophistication of the tools used, and the type of information being extracted.
5. Agent Raccoon is a .NET malware that masquerades as legitimate software like Google Update or Microsoft OneDrive Updater and uses the DNS protocol for covert communications with the command and control (C2) infrastructure.
6. The malware uses Punycode-encoded subdomains and includes random values in its queries to evade detection and hinder tracking efforts.
7. Although Agent Raccoon does not have built-in persistence, it is typically executed through scheduled tasks.
8. Capabilities of Agent Raccoon include remote command execution, file uploads, file downloads, and providing attackers with remote access to the infected system.
9. There are multiple variations of Agent Raccoon in the wild, suggesting continuous development and customization of the malware by its authors.
10. The attackers also use other sophisticated tools such as ‘Mimilite’—a customized version of the Mimikatz utility—and ‘Ntospy’, a credential stealer that mimics the Windows Network Provider module and captures user credentials by registering as a legitimate module.
11. The attackers’ toolkit includes the use of PowerShell snap-ins to steal emails from Microsoft Exchange servers and to exfiltrate Roaming Profile folders using 7-Zip for both compression and stealth.
12. The methods of email exfiltration exhibit a targeted approach with specific search criteria for inboxes, consistent with the attackers’ presumed espionage tactics.
13. This particular cluster of threat activity has significant similarities with another nation-state threat actor, identified by Unit 42 as ‘CL-STA-0043’, although no definitive link has been established.