Organizations in the Middle East, Africa, and the US have been targeted by an unknown threat actor to distribute a new backdoor called Agent Racoon.
“This malware family is written using the .NET framework and uses the domain name service (DNS) protocol to create a covert channel and provide various backdoor tools,” Palo Alto Networks Unit 42 researcher Chema Garcia SAYS in an analysis on Friday.
The targets of the attacks cover various sectors such as education, real estate, retail, non-profits, telecom, and governments. The activity was not attributed to a known threat actor, although it was assessed as being nation-state compatible due to the pattern of victimization and the detection and defense methods used.
The cybersecurity firm tracked the cluster under the moniker CL-STA-0002. It is currently unclear how these organizations were breached, and when the attacks took place.
Some of the other tools deployed by the enemy include a customized version of Mimikatz called Mimilite as well as a new utility called Ntospy, which uses a custom DLL module that implements a network provider to steal credentials on a remote server.
“While attackers typically use Ntospy on affected organizations, the Mimilite tool and the Agent Racoon malware have only been found in nonprofits and government-related organizations,” Garcia explained.
It is worth pointing out a previously known cluster of threat activity known as CL-STA-0043 that was also linked to the use of Ntospy, which the enemy also targeted the two organizations targeted by CL-STA-0002 .
Agent Raccoon, implemented through scheduled tasks, allows command execution, file upload, and file download, while disguising itself as Google Update and Microsoft OneDrive Updater binaries.
The command-and-control (C2) infrastructure used in connection with the implant dates back to at least August 2020. An examination of VirusTotal submissions of Agent Racoon artifacts shows that the earliest sample was uploaded in July 2022.
Unit 42 said it also discovered evidence of successful data exfiltration from the Microsoft Exchange Server environment, resulting in the theft of emails matching various search criteria. The threat actor has also been spotted harvesting victims Roaming Profile.
“This tool set has not been associated with a specific threat actor, and is not completely limited to a cluster or campaign,” Garcia said.