[ad_1]
Organizations within the Center East, Africa, and the U.S. have been focused by an unknown risk actor to distribute a brand new backdoor known as Agent Racoon.
“This malware household is written utilizing the .NET framework and leverages the area title service (DNS) protocol to create a covert channel and supply totally different backdoor functionalities,” Palo Alto Networks Unit 42 researcher Chema Garcia mentioned in a Friday evaluation.
Targets of the assaults span numerous sectors corresponding to training, actual property, retail, non-profits, telecom, and governments. The exercise has not been attributed to a identified risk actor, though it is assessed to be a nation-state aligned owing to the victimology sample and the detection and protection evasion strategies used.
The cybersecurity agency is monitoring the cluster below the moniker CL-STA-0002. It is at present not clear how these organizations have been breached, and when the assaults passed off.
Among the different instruments deployed by the adversary embody a personalized model of Mimikatz known as Mimilite in addition to a brand new utility known as Ntospy, which makes use of a customized DLL module implementing a community supplier to steal credentials to a distant server.
“Whereas the attackers generally used Ntospy throughout the affected organizations, the Mimilite instrument and the Agent Racoon malware have solely been present in nonprofit and government-related organizations’ environments,” Garcia defined.
It is value stating a beforehand recognized risk exercise cluster often known as CL-STA-0043 has additionally been linked to using Ntospy, with the adversary additionally focusing on two organizations which have been focused by CL-STA-0002.
Agent Raccoon, executed via scheduled duties, permits for command execution, file importing, and file downloading, whereas disguising itself as Google Replace and Microsoft OneDrive Updater binaries.
The command-and-control (C2) infrastructure utilized in reference to the implant dates again to at the very least August 2020. An examination of VirusTotal submissions of the Agent Racoon artifacts exhibits that the earliest pattern was uploaded in July 2022.
Unit 42 mentioned it additionally uncovered proof of profitable knowledge exfiltration from Microsoft Change Server environments, ensuing within the theft of emails matching totally different search standards. The risk actor has additionally been discovered to reap victims’ Roaming Profile.
“This instrument set shouldn’t be but related to a particular risk actor, and never solely restricted to a single cluster or marketing campaign,” Garcia mentioned.
[ad_2]