Agent Racoon Backdoor

Unknown threat actors have been actively targeting organizations in the Middle East, Africa, and the United States, employing a novel backdoor named the Agent Racoon. This malware, developed within the .NET framework, utilizes the Domain Name Service (DNS) protocol to establish a concealed channel, enabling diverse backdoor functionalities.

The victims of these attacks come from diverse sectors, including education, real estate, retail, nonprofit organizations, telecommunications and government entities. So far, the exact identity of the threat actor remains unknown. The nature of the attacks, characterized by the selection of victims and the utilization of sophisticated detection and defense evasion techniques, suggests a potential alignment with a nation-state.

Additional Malware Tools Deployed Alongside the Agent Racoon

The threat actors have deployed additional tools in their operation, including a customized version of Mimikatz named Mimilite and a novel utility called Ntospy. Ntospy employs a custom DLL module that implements a network provider to pilfer credentials for a remote server.

Across the targeted organizations, Ntospy is commonly used by the attackers. However, it is noteworthy that the Mimilite tool and the Agent Racoon malware have exclusively been discovered in environments associated with nonprofit and government-related organizations.

It is important to highlight that a previously identified threat activity cluster has also been linked to the use of Ntospy. Interestingly, this adversary has targeted two organizations that were also subjected to the Agent Racoon attack campaign.

The Agent Racoon is Used During the Initial Stages of the Cyberattack

The Agent Racoon functions as a backdoor, with its primary objective being to prepare the compromised system for subsequent infections. The malware establishes a communication channel with its Command-and-Control (C2, C&C) server through the DNS (Domain Name System) protocol. Agent Racoon primarily operates through scheduled tasks and does not rely on specific techniques for ensuring persistence. However, its utilization of communication loops when interacting with the C&C server may serve as an anti-detection tactic, aiming to reduce the likelihood of network jamming and activity spikes.

The capabilities of the Agent Racoon include executing commands and uploading and downloading files. The former may facilitate the infiltration of additional unsafe content, while the latter enables data exfiltration. Notably, these infections incorporate additional anti-detection measures, such as the use of temporary folders and a tool to clear infection artifacts after each attack. Moreover, some of the malicious programs are disguised as Microsoft updates.

In the observed attacks involving credentiacollecting malware, the exfiltrated data encompasses roaming user profiles and emails from Microsoft Exchange clients.

It is crucial to acknowledge that, given the common trend of malware developers refining their software and techniques, it is plausible that future iterations of the Agent Racoon will feature enhanced capabilities and infections associated with this program could adopt diverse methodologies.