Various entities in the Middle East, Africa, and the United States have fallen victim to an unidentified threat actor orchestrating a campaign involving the dissemination of a recently discovered backdoor named Agent Racoon. According to Chema Garcia, a researcher at Palo Alto Networks Unit 42, the malware is crafted using the .NET framework and exploits the domain name service (DNS) protocol to establish a covert communication channel, facilitating diverse backdoor functionalities.
The targeted organizations hail from a range of sectors, including education, real estate, retail, non-profit, telecommunications, and government. Despite the lack of attribution to a specific threat actor, the campaign is suspected to be state-sponsored due to discernible victimology patterns and the utilization of sophisticated detection and defense evasion techniques. Palo Alto Networks is monitoring this threat cluster under the label CL-STA-0002. The exact method of infiltration and the timeline of the attacks remain unclear at this point.
The adversary employs additional tools alongside Agent Racoon, such as a customized version of Mimikatz named Mimilite and a novel utility known as Ntospy. The latter utilizes a custom DLL module implementing a network provider to pilfer credentials for a remote server. Notably, while Ntospy is employed across the affected organizations, Mimilite and Agent Racoon are specifically found in the environments of non-profit and government-related organizations.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: