New Tool Set Found Used Against Middle East, Africa and the US

The "New Tool Set Found Used Against Middle East, Africa and the US" refers to a series of cyber attacks uncovered by Unit 42 researchers from Palo Alto Networks. These attacks targeted organizations in the Middle East, Africa, and the United States, using a specific set of tools designed for cyber espionage. The main components of this toolset are:

• Agent Raccoon: This is a backdoor malware written using the .NET framework, which leverages the Domain Name Service (DNS) protocol to create a covert channel for various backdoor functionalities. It has been used in conjunction with other tools in attacks on organizations across the U.S., Middle East, and Africa. Its command and control (C2) infrastructure has been active since at least 2020.
• Ntospy: This malware acts as a Network Provider DLL module, specifically designed to steal user credentials. It hijacks the authentication process to access user credentials each time a victim attempts to authenticate to the system.
• Mimilite: A customized version of the well-known Mimikatz tool, used for gathering credentials and sensitive information. It operates by taking a command-line argument as a decryption key to unlock the actual payload using a stream cipher.

The compromised organizations span various industries, including education, real estate, retail, non-profit organizations, telecom companies, and governments. These attacks involve sophisticated tactics, techniques, and procedures (TTPs), suggesting the involvement of nation-state-related threat actors. Unit 42 researchers have designated this threat activity cluster as CL-STA-0002.

The attackers utilized temporary directories such as C:\Windows\Temp and C:\Temp to deploy components of their toolset and used a range of filenames for batch and PowerShell scripts to facilitate their operations. Following the attacks, they employed cleanmgr.exe to clean up the environment used during the session.

In addition to credential theft, the threat actors also engaged in the collection and exfiltration of confidential information, such as emails from MS Exchange environments. They used PowerShell snap-ins to dump emails and attempted various methods to compress and exfiltrate these files.

The researchers' objective in sharing this information is to aid in the detection, prevention, and hunting of these threats, helping organizations to bolster their security posture against such sophisticated cyber espionage activities

IoC

DOMAIN

• geostatcdn.com
• geoinfocdn.com

SHA256

• f45ea12579f636026d29009190221864f432dbc3e26e73d8f3ab7835fa595b86
• e7682a61b6c5b0487593f880a09d6123f18f8c6da9c13ed43b43866960b7aa8e
• e30f8596f1beda8254cbe1ac7a75839f5fe6c332f45ebabff88aadbce3938a19
• e0748ce315037253f278f7f8f2820c7dd8827a93b6d22d37dafc287c934083c4
• dee7321085737da53646b1f2d58838ece97c81e3f2319a29f7629d62395dbfd1
• bcd2bdea2bfecd09e258b8777e3825c4a1d98af220e7b045ee7b6c30bf19d6df
• baed169ce874f6fe721e0d32128484b3048e9bf58b2c75db88d1a8b7d6bb938d
• ae989e25a50a6faa3c5c487083cdb250dde5f0ecc0c57b554ab77761bdaed996

REFERENCES

• https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/
• https://otx.alienvault.com/pulse/656a4d9ef3793676ba2c304e

TAGS

Ntopsy, Mimilite, Agent Racoon