HQ/EMEAFind out how we can help your business
An unidentified nation-state threat group uses the novel Agent Raccoon malware in a series of cyberattacks targeting various organisations across the United States, the Middle East, and Africa. The victims include diverse sectors, from government and telecommunications to education, real estate, retail, and non-profit organisations.
The nature of the compromised organisations’ observed Tactics, Techniques, and Procedures (TTPs) and the customised toolset all point towards a covert cybercriminal activity with espionage as its primary objective.
The newly discovered Agent Raccoon malware poses as a fake update to start its malicious activity.
The Agent Raccoon operators disguise their malware as a seemingly harmless Google Update or Microsoft OneDrive Updater and employ the DNS protocol to establish a covert communication channel with the attackers’ C2 infrastructure.
Moreover, the malware utilises Punycode-encoded subdomains and incorporates random values to bypass detection, allowing the threat actors to execute a sophisticated attack. Despite lacking a persistence mechanism, the malware could run scheduled task execution, revealing a strategic approach to maintain its presence within the compromised systems.
The confirmed malware’s capabilities include remote command execution, file manipulation, and providing the hackers with remote access to the compromised systems. The researchers also showed Agent Raccoon samples with slight code variations and optimisations tailored to specific operational requirements.
Furthermore, the threat actors that use the Agent Raccoon also deploy a customised version of Mimikatz credential dumping malware called Mimilite and a DLL credential stealer dubbed Ntospy.
Ntospy could present itself as a legitimate Network Provider module that captures user credentials during authentication, employing a well-documented attack method. On the other hand, PowerShell snap-ins steal emails from Microsoft Exchange servers and stealthily gather victims’ Roaming Profile folders.
This sophisticated cyberespionage campaign extends its scope to data harvesting after researchers discovered an email exfiltration process that employed distinct search criteria for each inbox. The attackers’ methodology is like the operational profile of another known threat actor, CL-STA-0043; hence, the researchers could speculate that this actor could have ties with the cyberespionage threat group.
Organisations located in the countries within the earlier-mentioned regions should be on the lookout for this threat since its recent victims show variations and prove that they have not been picky with their targets.
