Agent Racoon Backdoor Deployed by Unknown Threat Actor
Unidentified threat actors have targeted organizations in the Middle East, Africa, and the United States, aiming to disseminate a recently discovered backdoor known as Agent Racoon. According to Chema Garcia, a researcher at Palo Alto Networks Unit 42, this malware variant is developed using the .NET framework and utilizes the domain name service (DNS) protocol to establish a concealed communication channel and offer diverse backdoor functionalities.
Agent Racoon Targets Various Industries
The victims of these attacks belong to various sectors, including education, real estate, retail, non-profit entities, telecommunications, and governmental bodies. Although the responsible threat actor remains unidentified, the nature of the victims and the sophisticated detection and defense evasion techniques employed suggest a potential alignment with a nation-state.
The cybersecurity firm is monitoring this threat cluster identified as CL-STA-0002. The details surrounding the method of compromise and the timeline of the attacks remain unclear at present.
The adversary has deployed additional tools, such as a customized version of Mimikatz named Mimilite and a new utility called Ntospy. Ntospy utilizes a custom DLL module implementing a network provider to pilfer credentials and transmit them to a remote server.
While Ntospy is commonly employed across the affected organizations, the Mimilite tool and the Agent Racoon malware have specifically surfaced in environments associated with non-profit and governmental organizations, as explained by Garcia.
Agent Racoon, executed through scheduled tasks, facilitates command execution, file uploading, and downloading while masquerading as binaries for Google Update and Microsoft OneDrive Updater.
The command-and-control (C2) infrastructure linked to this implant has been in operation since at least August 2020. Examination of submissions to VirusTotal indicates that the earliest sample of the Agent Racoon malware was uploaded in July 2022.