December 2, 2023 at 03:48AM
Unknown attackers have targeted various sectors in the Middle East, Africa, and the U.S. with Agent Raccoon backdoor malware, using DNS for covert communication. Palo Alto Networks is investigating the attacks, which involve other tools like Mimilite and Ntospy and are potentially linked to nation-state actors. No specific threat actor has been identified yet.
Meeting Takeaways:
1. A new backdoor malware called Agent Racoon is targeting organizations across the Middle East, Africa, and the U.S. in various sectors including education, real estate, retail, non-profits, telecom, and government.
2. The malware is written in the .NET framework and uses the DNS protocol to facilitate covert communications and enable backdoor functionalities.
3. The attacks are possibly linked to a nation-state actor, based on victim profiles and sophisticated evasion techniques, although no specific actor has been identified.
4. Palo Alto Networks’ Unit 42 is monitoring the malware activities under the identifier CL-STA-0002, and the methods of the initial breach remain unknown, including the timeline of the attacks.
5. Attackers are using multiple tools, including a customized version of Mimikatz called Mimilite, and Ntospy, a new tool for stealing credentials through a custom DLL module.
6. Agent Racoon and Mimilite have primarily been found in environments related to non-profits and government organizations, while Ntospy is employed across a broader range of affected organizations.
7. There is a connection between this cluster, CL-STA-0002, and another cluster, CL-STA-0043, which both utilized Ntospy and targeted some common organizations.
8. Agent Racoon can execute commands, upload and download files, and masquerades as legitimate binaries from Google Update and Microsoft OneDrive Updater.
9. The associated command-and-control infrastructure has been in place since at least August 2020, with the earliest Agent Racoon malware sample discovered in July 2022.
10. Data exfiltration from Microsoft Exchange Server environments has been detected, as well as the theft of emails and harvesting of victims’ Roaming Profiles by the threat actor.
11. The toolset associated with the malware has not yet been attributed to a specific threat actor and seems to span multiple clusters or campaigns.
For further updates and more exclusive content, the note ends with a prompt to follow Palo Alto Networks on Twitter and LinkedIn.