Agent Racoon Backdoor Targets Organizations in Middle East, Africa, and U.S.

Cyber Security

Dec 02, 2023Newsroom

Organizations in the Middle East, Africa, and the U.S. have been targeted by an unknown threat actor to distribute a new backdoor called Agent Racoon.

“This malware family is written using the .NET framework and leverages the domain name service (DNS) protocol to create a covert channel and provide different backdoor functionalities,” Palo Alto Networks Unit 42 researcher Chema Garcia said in a Friday analysis.

Targets of the attacks span various sectors such as education, real estate, retail, non-profits, telecom, and governments. The activity has not been attributed to a known threat actor, although it’s assessed to be a nation-state aligned owing to the victimology pattern and the detection and defense evasion techniques used.

The cybersecurity firm is tracking the cluster under the moniker CL-STA-0002. It’s currently not clear how these organizations were breached, and when the attacks took place.

Some of the other tools deployed by the adversary include a customized version of Mimikatz called Mimilite as well as a new utility called Ntospy, which utilizes a custom DLL module implementing a network provider to steal credentials to a remote server.

“While the attackers commonly used Ntospy across the affected organizations, the Mimilite tool and the Agent Racoon malware have only been found in nonprofit and government-related organizations’ environments,” Garcia explained.

It’s worth pointing out a previously identified threat activity cluster known as CL-STA-0043 has also been linked to the use of Ntospy, with the adversary also targeting two organizations that have been targeted by CL-STA-0002.

Agent Raccoon, executed by means of scheduled tasks, allows for command execution, file uploading, and file downloading, while disguising itself as Google Update and Microsoft OneDrive Updater binaries.

The command-and-control (C2) infrastructure used in connection with the implant dates back to at least August 2020. An examination of VirusTotal submissions of the Agent Racoon artifacts shows that the earliest sample was uploaded in July 2022.

Unit 42 said it also uncovered evidence of successful data exfiltration from Microsoft Exchange Server environments, resulting in the theft of emails matching different search criteria. The threat actor has also been found to harvest victims’ Roaming Profile.

“This tool set is not yet associated with a specific threat actor, and not entirely limited to a single cluster or campaign,” Garcia said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Articles You May Like

Microsoft Announces Edge Game Assist, an In-Game Browser That Provides Game Hints, Guides and More
Adobe Develops SlimLM That Can Process Documents Locally on Devices Without Internet Connectivity
Microsoft is finally testing its Recall photographic memory search feature. It’s not perfect
Windows 11, Version 24H2, Update Causing Issues With Some Ubisoft Games, Microsoft Confirms
Chinese DeepSeek-R1 AI Model With Advanced Reasoning Capabilities Released, Can Rival OpenAI o1