中东、非洲和美国遭受Agent Racoon后门攻击

Organizations in the Middle East, Africa, and the U.S. have been targeted by an unknown threat actor to distribute a new backdoor called Agent Racoon.

中东、非洲和美国的组织受到了一个未知威胁行为者的攻击，用于传播一种名为Agent Racoon的新后门。

"This malware family is written using the .NET framework and leverages the domain name service (DNS) protocol to create a covert channel and provide different backdoor functionalities," Palo Alto Networks Unit 42 researcher Chema Garcia said in a Friday analysis.

"这个恶意软件系列是使用.NET框架编写的，并利用域名服务（DNS）协议创建隐秘通道并提供不同的后门功能，" Palo Alto Networks Unit 42的研究员Chema Garcia在周五的分析中说。

Targets of the attacks span various sectors such as education, real estate, retail, non-profits, telecom, and governments. The activity has not been attributed to a known threat actor, although it's assessed to be a nation-state aligned owing to the victimology pattern and the detection and defense evasion techniques used.

攻击的目标涵盖教育、房地产、零售、非营利组织、电信和政府等各个领域。这些活动尚未归因于已知的威胁行为者，虽然由于受害者模式和检测及防御规避技术，被评估为与一个国家相关。

The cybersecurity firm is tracking the cluster under the moniker CL-STA-0002. It's currently not clear how these organizations were breached, and when the attacks took place.

这家网络安全公司正在追踪这一集群，被称为CL-STA-0002。目前尚不清楚这些组织是如何遭到攻击的，攻击是何时发生的。

Some of the other tools deployed by the adversary include a customized version of Mimikatz called Mimilite as well as a new utility called Ntospy, which utilizes a custom DLL module implementing a network provider to steal credentials to a remote server.

对手部署的一些其他工具包括一个名为Mimilite的定制版本的Mimikatz，以及一种名为Ntospy的新实用程序。Ntospy利用一个实现网络提供程序的自定义DLL模块，用于窃取连接到远程服务器的凭据。

"While the attackers commonly used Ntospy across the affected organizations, the Mimilite tool and the Agent Racoon malware have only been found in nonprofit and government-related organizations' environments," Garcia explained.

"虽然攻击者通常在受影响的组织中使用Ntospy，Mimilite工具和Agent Racoon恶意软件仅在非营利组织和政府相关组织的环境中发现，"Garcia解释说。

It's worth pointing out a previously identified threat activity cluster known as CL-STA-0043 has also been linked to the use of Ntospy, with the adversary also targeting two organizations that have been targeted by CL-STA-0002.

值得指出，之前发现的一个已知威胁活动集群，被称为CL-STA-0043，也与使用Ntospy相关联，并且攻击者还针对两个被CL-STA-0002攻击的组织进行攻击。

Agent Raccoon, executed by means of scheduled tasks, allows for command execution, file uploading, and file downloading, while disguising itself as Google Update and Microsoft OneDrive Updater binaries.

Agent Raccoon是通过计划任务执行的，允许执行命令、上传文件和下载文件，同时伪装成Google更新和Microsoft OneDrive更新程序。

The command-and-control (C2) infrastructure used in connection with the implant dates back to at least August 2020. An examination of VirusTotal submissions of the Agent Racoon artifacts shows that the earliest sample was uploaded in July 2022.

与植入物相关的C2基础设施可追溯到至少2020年8月。对Agent Racoon文物的VirusTotal提交的检查显示，最早的样本是在2022年7月上传的。

Unit 42 said it also uncovered evidence of successful data exfiltration from Microsoft Exchange Server environments, resulting in the theft of emails matching different search criteria. The threat actor has also been found to harvest victims' Roaming Profile.

Unit 42表示，他们还发现了成功从Microsoft Exchange Server环境中窃取数据的证据，导致了匹配不同搜索条件的电子邮件被盗。该威胁行为者还被发现窃取了受害者的漫游配置文件。

"This tool set is not yet associated with a specific threat actor, and not entirely limited to a single cluster or campaign," Garcia said.

"这个工具集尚未与特定的威胁行为者相关联，并且并不完全局限于单个集群或行动，"Garcia说。

原文始发于微信公众号（知机安全）：中东、非洲和美国遭受Agent Racoon后门攻击