Unit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. We will discuss a set of tools used in the course of the attacks that reveal clues about the threat actors' activity.
We assess with medium confidence that this threat activity cluster aligns to nation-state related threat actors due to the nature of the organizations that were compromised, the TTPs observed and the customization of the tool set.
Organizations can engage the Unit 42 Incident Response team for specific assistance with this threat and others.
The threat actor used temporary directories such as C:WindowsTemp and C:Temp to deploy specific components of their tool set across the different affected organizations.
After each attack session, the threat actor leveraged cleanmgr.
To perform credential theft, the threat actor used a custom DLL module implementing a Network Provider.
The threat actor registers the Ntospy DLL module as a Network Provider module to hijack the authentication process, to get access to the user credentials every time the victim attempts to authenticate to the system.
To install the DLL module, the threat actor registers a new Network Provider called credman.
While the first file path is the one used to actually install the Network Provider module, the Temp directory is the working directory used by the threat actor to temporarily store the DLL modules.
As shown in the file paths above, the threat actor used Windows binary name patterns in an attempt to trick victims and analysts into overlooking the malicious DLL component.
Another tool used for gathering credentials and sensitive information is a customized version of the well-known Mimikatz tool that, according to references within the sample, the threat actor calls Mimilite.
Dns ip is different for each sample found, which could indicate that the threat actor is building the binary with specific settings gathered from the targeted environment.
Although Agent Racoon does not provide any sort of persistence mechanism by itself, during the activity we observed, the threat was executed by using scheduled tasks.
The threat actor tried to disguise the Agent Racoon binary as Google Update and MS OneDrive Updater binaries.
In the search criteria from the command above, the threat actor used similar commands to search through different folders, mailboxes and dates to dump those emails.
After dumping the emails, the threat actor tried to compress the.
The threat actor canceled the attempt to compress the.
Eventually the threat actor discarded the usage of raren.
This tool set is not yet associated with a specific threat actor, and not entirely limited to a single cluster or campaign.
As mentioned at the beginning of this article, we found an overlapping Ntospy sample with SHA256 bcd2bdea2bfecd09e258b8777e3825c4a1d98af220e7b045ee7b6c30bf19d6df with a previously identified threat activity cluster CL-STA-0043.
This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Fri, 01 Dec 2023 23:06:57 +0000