An unidentified threat actor is distributing a new backdoor called “Agent Racoon” to target organizations in the Middle East, Africa, and the U.S., according to Palo Alto Networks Unit 42 researcher Chema Garcia.
Agent Racoon, crafted using the .NET framework, utilizes the domain name service (DNS) protocol to establish a covert channel and execute various backdoor functionalities. The affected sectors include education, real estate, retail, non-profits, telecom, and governments. Although the attacker remains unknown, the attack’s sophistication and evasion tactics suggest alignment with a nation-state.
Termed as CL-STA-0002, the cluster’s attack timeline and breach methods are yet to be identified. The threat actor employs additional tools like a customized Mimikatz variant named Mimilite and a newly discovered utility, Ntospy, utilizing a custom DLL module to pilfer remote server credentials.
While Ntospy is commonly deployed across affected organizations, Mimilite and Agent Racoon were specifically found in nonprofit and government-related environments.
Agent Racoon functions through scheduled tasks, masquerading as Google Update or Microsoft OneDrive Updater binaries, enabling command execution, file upload, and download.
The implant’s command-and-control (C2) infrastructure has been active since at least August 2020, with the earliest Agent Racoon sample uploaded to VirusTotal in July 2022.
Unit 42’s investigation unveiled successful data exfiltration from Microsoft Exchange Server environments, including email theft matching distinct search criteria. Additionally, the threat actor harvested victims’ Roaming Profiles.
Garcia noted that while this toolset lacks specific attribution to a threat actor and isn’t confined to a single cluster or campaign, it remains a potent and evolving threat.
