Businesses in the Center East, Africa, and the U.S. have been targeted by an mysterious menace actor to distribute a new backdoor known as Agent Racoon.
“This malware family is penned using the .NET framework and leverages the domain name services (DNS) protocol to build a covert channel and offer diverse backdoor functionalities,” Palo Alto Networks Device 42 researcher Chema Garcia said in a Friday investigation.
Targets of the attacks span various sectors these types of as training, true estate, retail, non-gains, telecom, and governments. The action has not been attributed to a acknowledged danger actor, even though it can be assessed to be a country-point out aligned owing to the victimology pattern and the detection and defense evasion strategies made use of.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The cybersecurity company is tracking the cluster below the moniker CL-STA-0002. It is at this time not apparent how these organizations ended up breached, and when the attacks took spot.
Some of the other instruments deployed by the adversary incorporate a tailored variation of Mimikatz termed Mimilite as nicely as a new utility identified as Ntospy, which utilizes a custom made DLL module utilizing a network supplier to steal qualifications to a remote server.
“Whilst the attackers usually employed Ntospy throughout the afflicted companies, the Mimilite software and the Agent Racoon malware have only been found in nonprofit and government-relevant organizations’ environments,” Garcia described.
It can be well worth pointing out a formerly identified risk exercise cluster recognized as CL-STA-0043 has also been connected to the use of Ntospy, with the adversary also targeting two businesses that have been focused by CL-STA-0002.
Agent Raccoon, executed by indicates of scheduled responsibilities, enables for command execution, file uploading, and file downloading, even though disguising alone as Google Update and Microsoft OneDrive Updater binaries.
The command-and-control (C2) infrastructure used in link with the implant dates again to at minimum August 2020. An examination of VirusTotal submissions of the Agent Racoon artifacts reveals that the earliest sample was uploaded in July 2022.
Device 42 said it also uncovered evidence of successful details exfiltration from Microsoft Trade Server environments, ensuing in the theft of e-mails matching different lookup conditions. The threat actor has also been observed to harvest victims’ Roaming Profile.
“This instrument established is not nonetheless related with a specific menace actor, and not fully restricted to a one cluster or marketing campaign,” Garcia reported.
Uncovered this post fascinating? Abide by us on Twitter and LinkedIn to read far more exceptional content material we publish.
Some parts of this write-up are sourced from:
thehackernews.com