On 1 December 2023, Palo Alto Unit 42 reported adversarial cyber activities targeting various organizations in the Middle East, Africa, and the United States. The events were attributed to an unknown activity cluster tracked as CL-STA-0002. However, tactics, techniques, and procedures (TTPs) partially overlap with a separate activity cluster, potentially linked to an unidentified government.
Targeted entities include government organizations and private businesses in sectors such as real estate, telecommunications, retail, education, and non-profit. This extensive targeting suggests a large-scale espionage campaign.
The observed events reveal new TTPs, including:
The use of PowerShell scripts to deploy the attack toolset.
A novel backdoor, named "Agent Racoon," disguises itself as Google Update or Microsoft OneDrive Updater and uses DNS to establish covert communication with the command-and-control (C2). Unit 42's analysis of the communicating infrastructure suggests that the activity cluster may have been active since at least 2020. Samples of this backdoor were first observed in July 2022 when they were uploaded to Virus Total (VT) from Thailand, and they resurfaced in September 2022 where VT uploads were performed from Egypt. The backdoor functionalities, including command execution, file uploading, and downloading.
Credential theft occurs via a customized DLL module named "Ntospy DLL," implementing a network provider. This module hijacks the authentication process whenever the user authenticates to the compromised system. Notably, Ntospy DLL overlaps with TTPs of a separate activity cluster (CL-STA-0043), suggesting potential correlation or that the two clusters are the same actor. A Hive Pro report suggest CL-STA-0043 may be a state-sponsored actor of an unidentified government.
The actor also employs a customized and minimized version of the credential recovery tool Mimikatz, named "Mimilite," disguised as a Microsoft update.
Post-exploitation activities involve anti-forensic measures using living-off-the-land techniques. The actor utilizes the Windows disk cleanup tool (cleanmgr.exe) and "taskkill" within the command prompt to conceal traces."