Hackers use new Agent Raccoon malware to backdoor US targets

Trending 3 months ago


A atypical malware called 'Agent Raccoon' (or Agent Racoon) is actuality acclimated in cyberattacks adjoin organizations in the United States, the Middle East, and Africa.

The attackers are believed to be nation-state blackmail actors apparent by Palo Alto Network's Unit 42, which letters seeing victims spanning assorted sectors, including government, telecommunications, education, absolute estate, retail, and non-profit organizations.

"We appraise with average aplomb that this blackmail action array aligns to nation-state accompanying blackmail actors due to the attributes of the organizations that were compromised, the TTPs empiric and the customization of the apparatus set," explains the Unit 42 researchers.

"We accept not accepted a accurate nation-state or blackmail group."

The alternative of targets, attributes of the deployed tools, abstracts beat methods, targeted intelligence, and the buried appearance of the attacks advance that their ambition is espionage.

Agent Raccoon backdoor

Agent Raccoon is a .NET malware bearded as a Google Update or Microsoft OneDrive Updater that leverages the DNS (Domain Name Service) agreement to authorize a buried advice approach with the attackers' C2 (command and control) infrastructure.

The backdoor constructs queries with Punycode-encoded subdomains for evasion, while it additionally includes accidental ethics to accomplish communications harder to track.

DNS concern sampleDNS concern sample (Unit 42)

Unit 42 notes that while the malware itself lacks a chain mechanism, their observations advance that it is accomplished by appointed tasks.

The malware is able of alien command execution, book uploading and downloading, and accouterment alien acceptance to the adulterated system.

The analysts additionally agenda that they accept captured altered samples of Agent Raccoon with slight cipher variations and optimizations in its settings, advertence that the malware's authors are actively developing and adapting it to specific operational requirements.

Other different tools

Apart from Agent Raccoon, the attackers additionally acclimated a customized adaptation of the Mimikatz credential auctioning utility, called 'Mimilite,' and a DLL credential actor artful the Windows Network Provider module, called 'Ntospy.'

Ntospy registers as a accepted Network Provider bore called "credman" to annex the affidavit action and abduction user credentials, a well-documented advance method.

Registry command to set up credmanRegistry command to set up credman (Unit 42)

This tool, too, uses filenames that resemble Microsoft Update files and food intercepted accreditation in plaintext anatomy locally on the breached device.

Finally, the attackers use PowerShell snap-ins to abduct emails from Microsoft Exchange servers or abduct victims' Roaming Profile folders, burden the agenda with 7-Zip for ability and stealth.

The empiric email beat action complex audible chase belief for anniversary inbox, advertence a targeted abstracts agriculture access that matches the accepted espionage operational profile.

The alien action array has notable overlaps with addition blackmail abecedarian that Unit 42 advance as 'CL-STA-0043,' which is characterized as a nation-state blackmail abecedarian with average confi