Cyberattacks that have targeted companies in the US, the Middle East, and Africa have been reported. These assaults use a special malware called “Agent Raccoon.” The victims come from various industries, including retail, real estate, education, government, and nonprofits, according to Palo Alto Networks Unit 42. The group believes that threat actors connected to a nation-state are responsible for these assaults.
The spyware, dubbed Agent Raccoon, functions as a Microsoft OneDrive or Google Update spoof. Its major purpose is to use the Domain Name Service (DNS) protocol to create a secret communication channel between itself and the attackers’ command and control (C2) infrastructure. The backdoor uses Punycode to encrypt subdomains and produce arbitrary query values to evade discovery and impede communication. Unit 42’s research suggests that the virus seems to function through scheduled processes even without a specific persistence mechanism. This malware can download and upload files, execute commands remotely, and provide remote access to the compromised machine. Furthermore, specialists have found other examples of Agent Raccoon samples with little code and configuration changes. This implies that the malware’s creators are still working to enhance and modify the infection to satisfy functional requirements.
Alongside Agent Raccoon, the attackers used other tools such as “Ntospy,” a DLL credential thief that mimicked the Windows Network Provider module, and “Mimilite,” a modified version of the Mimikatz credential dumping program. By pretending to be a reliable Network Provider module called “credman,” Ntospy uses a well-known attack method to take over the authentication process and get user credentials. This program keeps the credentials it has taken locally in plain text on the targeted device and uses file names that seem like Microsoft Update files.
To save overhead and keep a low profile, the attackers compressed the directory using 7-Zip. They then used PowerShell snap-ins to retrieve emails from Microsoft Exchange servers or the victims’ Roaming Profile files.