Cybersecurity researchers at Palo Alto Networks Unit 42 have identified a new backdoor named Agent Racoon targeting organizations in the Middle East, Africa, and the U.S. The malware, written in .NET framework, uses DNS protocol to establish a covert channel for various backdoor functions. The attacks, attributed to an unknown nation-state-aligned threat actor, impact diverse sectors, employing tools like Mimikatz and a new utility named Ntospy for credential theft.
The threat cluster, tracked as CL-STA-0002, exhibits sophisticated techniques, deploying Agent Racoon through scheduled tasks. The malware disguises itself as Google Update and Microsoft OneDrive Updater binaries, enabling command execution, file uploading, and downloading. The command-and-control infrastructure associated with Agent Racoon dates back to at least August 2020. Notably, Unit 42 found evidence of successful data exfiltration from Microsoft Exchange Server environments, emphasizing the tool set’s versatility across different organizations and campaigns.
The threat actor behind Agent Racoon also deploys Mimilite and Ntospy tools, with Ntospy being a custom DLL module used to steal credentials remotely. The attacks, ongoing since at least July 2022, target nonprofits and government-related organizations, showcasing a nuanced approach by the threat actor. The tool set, not yet linked to a specific threat actor or limited to a single cluster, raises concerns about the potential for widespread and sophisticated cyber threats in various sectors.