Unit 42 researchers have observed a series of coordinated cyberattacks against organizations in the Middle East, Africa, and the U.S., utilizing a new set of tools. These tools were used for various malicious activities, including establishing backdoor access, command and control (C2) operations, stealing user credentials, and exfiltrating confidential information.
Tools Used in the Attacks
Agent Racoon: This is a new backdoor malware, written using the .NET framework. It uses the Domain Name Service (DNS) protocol to create a covert channel, providing various backdoor functionalities. This malware has been used in multiple attacks across the targeted regions, and its C2 infrastructure dates back to 2020.
Ntospy: This tool is a Network Provider DLL module designed to steal user credentials. It implements a known technique that involves hijacking the authentication process to access user credentials every time a victim attempts to authenticate to the system.
Mimilite: A customized version of the well-known Mimikatz tool, Mimilite is used for gathering credentials and sensitive information. It requires a command-line password to run and uses a stream cipher for decrypting the actual payload.
Targeted Organizations
The affected organizations span various industries, including education, real estate, retail, non-profit organizations, telecom companies, and governments. This broad range of targets indicates the widespread nature of these attacks.
Techniques and Procedures
The attackers deployed specific components of their toolset using temporary directories such as C:\Windows\Temp, employing batch and PowerShell scripts with similar filenames. Interestingly, while Ntospy was commonly used across the affected organizations, Mimilite and Agent Racoon were found predominantly in non-profit and government-related organizations' environments.
Exfiltration Activities
Unit 42 researchers noted the successful exfiltration of confidential information, such as emails from MS Exchange environments and the victim's Roaming Profile. To exfiltrate the Roaming Profile, the threat actor used a standalone version of the 7-Zip tool to compress the directory and split the compressed file into chunks of 100 MB.
Attribution and Impact
While the specific threat actor behind these attacks is not yet identified, Unit 42 assesses with medium confidence that this threat activity cluster aligns with nation-state related threat actors. This assessment is based on the nature of the compromised organizations, the observed tactics, techniques, and procedures (TTPs), the customization of the toolset, and the detection and defense evasion techniques used.
In summary, these findings highlight the sophisticated nature of the threat actors and the need for organizations to strengthen their defenses against such advanced and persistent cyber threats.
IoC
HOSTNAME
- telemetry.geostatcdn.com
- lc3w.telemetry.geostatcdn.com
- hfhs.telemetry.geostatcdn.com
- g1sw.telemetry.geoinfocdn.com
- fdsb.telemetry.geostatcdn.com
- dlbh.telemetry.geostatcdn.com
DOMAIN
- geostatcdn.com
- geoinfocdn.com
SHA256
- f45ea12579f636026d29009190221864f432dbc3e26e73d8f3ab7835fa595b86
REFERENCES
- https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week
- https://otx.alienvault.com/pulse/656f32d53f5e8dc47482db65
TAGS
agent racoon, dll module, c2 server, module, helper script, mimikatz, powershell, ntospy
No comments:
Post a Comment