"This malware family is written using the .NET framework and leverages the Domain Name Service (DNS) protocol to create a covert channel and provide different backdoor capabilities," Palo Alto Networks Unit 42 researcher Chema Garcia said in a Friday analysis. "
The targets of the attacks cover various fields such as education, real estate, retail, non-profit organizations, telecommunications and government. While this activity has not yet been attributed to a known threat actor, it is linked to a nation-state entity based on victim patterns and the detection and defense evasion techniques used.
this homecyber securityThe company named the cluster CL-STA-0002 and is tracking it. It is unclear how the groups were breached and when the attacks occurred.
Other tools used by the attackers include a customized version of Mimikatz, known as Mimilite, and a new utility called Ntospy that leverages a custom DLL module that implements a network provider to steal the credentials of a remote server.
"While attackers commonly use Ntospy within affected organizations, the Mimilite tool and Agent Racoon malware have only been found in the context of non-profit and government-related organizations," Garcia explained.
It is worth noting that the previously confirmed threat activity cluster CL-STA-0043 is also related to the use of Ntospy, and the attackers also targeted two organizations that were attacked by CL-STA-0002.
Agent Racoon is executed via scheduled tasks, allowing command execution, uploading and downloading files, and masquerading as Google Update and Microsoft OneDrive Updater binaries.
The command and control (C2) infrastructure associated with the implant dates back to at least August 2020. An examination of VirusTotal submissions of Agent Racoon samples revealed that the earliest samples were uploaded in July 2022.
Unit 42 said it also found evidence of a data breach that successfully stole emails matching different search criteria from a Microsoft Exchange Server environment. Threat actors have also been spotted stealing victims' roaming profiles.
"This toolset has not been associated with a specific threat actor and is not entirely limited to a single cluster or campaign," Garcia said.
Original article, author: Chief Security Officer, if reprinted, please indicate the source: https://cncso.com/en/agent-racoon-backdoor-targets.html
