Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
An unknown group attacks key sectors and carefully selects its tools.
Unidentified hackers attacked organizations in the United States, the Middle East, and Africa using a new type of malware called Agent Racoon, according to a new report from Palo Alto Networks Unit 42.
According to Unit 42, the Agent Racoon malware family is written using the platform .NET and uses the DNS protocol to create a hidden channel and provide various backdoor functions.
The wave of cyber attacks affected a variety of sectors, including educational institutions, real estate, retail, non-profit organizations, telecommunications and government agencies. Although the specific source of the attacks has not yet been determined, there is an assumption that a state structure is behind them, based on the choice of targets and the techniques used to evade detection.
Palo Alto Networks monitors the campaign, designating it as a CL-STA-0002 cluster. However, it is still unclear exactly how the attackers penetrated the organizations and when exactly the attacks occurred.
In addition, cybercriminals used additional tools – a customized version of Mimikatz called Mimilite and a new utility Ntospy, which uses a special DLL module that implements a network provider to steal credentials and transfer them to a remote server. Although Ntospy has been used in many attacks, Mimilite and Agent Racoon are only found in the environment of non-profit and government organizations.
Agent Racoon, activated through scheduled tasks, allows you to execute commands, upload and download files, while masquerading as Google and Microsoft OneDrive updates. The Command and Control (C2) infrastructure associated with Agent Racoon has been in place since at least August 2020. Analysis of Agent Racoon samples submitted to VirusTotal shows that the first samples were uploaded in July 2022.
In addition, Unit 42 detected a successful extraction of data from the Microsoft Exchange Server environment, which resulted in email theft. At the same time, hackers also collected data from user profiles that were being moved. The researchers concluded that the set of tools is not yet associated with a specific hacker or group, and its use is not limited to a single campaign or cluster.
Unidentified hackers attacked organizations in the United States, the Middle East, and Africa using a new type of malware called Agent Racoon, according to a new report from Palo Alto Networks Unit 42.
According to Unit 42, the Agent Racoon malware family is written using the platform .NET and uses the DNS protocol to create a hidden channel and provide various backdoor functions.
The wave of cyber attacks affected a variety of sectors, including educational institutions, real estate, retail, non-profit organizations, telecommunications and government agencies. Although the specific source of the attacks has not yet been determined, there is an assumption that a state structure is behind them, based on the choice of targets and the techniques used to evade detection.
Palo Alto Networks monitors the campaign, designating it as a CL-STA-0002 cluster. However, it is still unclear exactly how the attackers penetrated the organizations and when exactly the attacks occurred.
In addition, cybercriminals used additional tools – a customized version of Mimikatz called Mimilite and a new utility Ntospy, which uses a special DLL module that implements a network provider to steal credentials and transfer them to a remote server. Although Ntospy has been used in many attacks, Mimilite and Agent Racoon are only found in the environment of non-profit and government organizations.
Agent Racoon, activated through scheduled tasks, allows you to execute commands, upload and download files, while masquerading as Google and Microsoft OneDrive updates. The Command and Control (C2) infrastructure associated with Agent Racoon has been in place since at least August 2020. Analysis of Agent Racoon samples submitted to VirusTotal shows that the first samples were uploaded in July 2022.
In addition, Unit 42 detected a successful extraction of data from the Microsoft Exchange Server environment, which resulted in email theft. At the same time, hackers also collected data from user profiles that were being moved. The researchers concluded that the set of tools is not yet associated with a specific hacker or group, and its use is not limited to a single campaign or cluster.
