New Tool Set Found Used Against Organizations in the Middle East, Africa and the US

Unit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. We will discuss a set of tools used in the course of the attacks that reveal clues about the threat actors' activity.
We assess with medium confidence that this threat activity cluster aligns to nation-state related threat actors due to the nature of the organizations that were compromised, the TTPs observed and the customization of the tool set.
Organizations can engage the Unit 42 Incident Response team for specific assistance with this threat and others.
The threat actor used temporary directories such as C:WindowsTemp and C:Temp to deploy specific components of their tool set across the different affected organizations.
After each attack session, the threat actor leveraged cleanmgr.
To perform credential theft, the threat actor used a custom DLL module implementing a Network Provider.
The threat actor registers the Ntospy DLL module as a Network Provider module to hijack the authentication process, to get access to the user credentials every time the victim attempts to authenticate to the system.
To install the DLL module, the threat actor registers a new Network Provider called credman.
While the first file path is the one used to actually install the Network Provider module, the Temp directory is the working directory used by the threat actor to temporarily store the DLL modules.
As shown in the file paths above, the threat actor used Windows binary name patterns in an attempt to trick victims and analysts into overlooking the malicious DLL component.
Another tool used for gathering credentials and sensitive information is a customized version of the well-known Mimikatz tool that, according to references within the sample, the threat actor calls Mimilite.
Dns ip is different for each sample found, which could indicate that the threat actor is building the binary with specific settings gathered from the targeted environment.
Although Agent Racoon does not provide any sort of persistence mechanism by itself, during the activity we observed, the threat was executed by using scheduled tasks.
The threat actor tried to disguise the Agent Racoon binary as Google Update and MS OneDrive Updater binaries.
In the search criteria from the command above, the threat actor used similar commands to search through different folders, mailboxes and dates to dump those emails.
After dumping the emails, the threat actor tried to compress the.
The threat actor canceled the attempt to compress the.
Eventually the threat actor discarded the usage of raren.
This tool set is not yet associated with a specific threat actor, and not entirely limited to a single cluster or campaign.
As mentioned at the beginning of this article, we found an overlapping Ntospy sample with SHA256 bcd2bdea2bfecd09e258b8777e3825c4a1d98af220e7b045ee7b6c30bf19d6df with a previously identified threat activity cluster CL-STA-0043.


This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Fri, 01 Dec 2023 23:06:57 +0000


Cyber News related to New Tool Set Found Used Against Organizations in the Middle East, Africa and the US

Africa, Middle East Lead Peers in Cybersecurity, but Lag Globally - Both Africa and the Middle East lead their economic peers in cybersecurity, but the regions fall short of claiming strong scores for overall cyber resilience. According to data published by SecurityScorecard on Jan. 15 at the World Economic Forum ...
10 months ago Darkreading.com
New Tool Set Found Used Against Organizations in the Middle East, Africa and the US - Unit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. We will discuss a set of tools used in the course of the attacks that reveal clues about the threat actors' activity. We ...
1 year ago Unit42.paloaltonetworks.com
Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning - Our structured query language (SQL) injection detection model detected triggers containing unusual patterns that did not correlate to any known open-source or commercial automated vulnerability scanning tool. We have tested all malicious payloads ...
2 months ago Unit42.paloaltonetworks.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
Q&A: The Cybersecurity Training Gap in Industrial Networks - Cyberattacks on critical infrastructure are steadily increasing, driven by geopolitical conflicts as well as the longtime problem of poorly secured devices that remain exposed and unprotected on the public Internet. Irfan Shakeel, the Dubai-based ...
9 months ago Darkreading.com
African Organizations Aim to Fix Cybersecurity in 2024 - Faced with numerous cybersecurity threats and challenges, but lacking adequate cyber training, African nations hope to develop the depth of skills needed to defend against attackers in 2024. In December, for example, the University of Lagos, the ...
11 months ago Darkreading.com
Middle East Cybersecurity Teams Want More Budget - More than half of cybersecurity leaders in the Middle East cite a lack of funding as the top challenge in doing their jobs. According to new research from Deloitte, some 51% of respondents cited the lack of funding, compared to 36% of security ...
9 months ago Darkreading.com
Middle East CISOs Fear Disruptive Cloud Breach - As organizations in the Middle East increasingly adopt cloud services, business leaders worry that their cloud-security measures are falling short. Running in the Cloud The worries arise as organizations in the Middle East accelerate their cloud ...
11 months ago Darkreading.com
Ransomware Attacks Strike South Africa, Decline in UAE - Cybercrime - and especially ransomware - traditionally have had an uneven impact across the Middle East and Africa, yet recent data suggests that ongoing geopolitical conflicts will likely raise the overall level of cyberattacks across the regions. ...
1 year ago Darkreading.com
New Campaign Targets Middle East Governments with IronWind Malware - Government entities in the Middle East are the target of new phishing campaigns that are designed to deliver a new initial access downloader dubbed IronWind. The activity, detected between July and October 2023, has been attributed by Proofpoint to a ...
1 year ago Thehackernews.com
Optimizing Cybersecurity: How Hackers Use Golang Source Code Interpreter to Evade Detection - Hackers have been upping the stakes when it comes to executing cyberattacks, and an increasingly popular tool in their arsenal is the Golang source code interpreter. Reportedly, the interpreter is used to obfuscate code, thus making it harder for ...
1 year ago Bleepingcomputer.com
Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation and Information Sharing - As we reflect on 2022, we've seen that malicious actors are constantly coming up with new ways to weaponize technologies at scale to cause more disruption and devastation. The dangers are showing up everywhere - and more frequently. The volume and ...
1 year ago Securityweek.com
Open Source Security Threats: Large East Asian Companies Attacked with SparkRat Tool - Large East Asian companies are facing a significant security threat due to the use of an open-source tool called SparkRat. SparkRat is an open-source tool that has been used to target large organizations as part of a cyber-attack campaign. ...
1 year ago Therecord.media
Dubai-US Deal Aims to Secure Medical, IoT Devices in Middle East - Dubai-based AmiViz and US-based Internet of Things security vendor Asimily have teamed up to provide industrial Internet of Things and medical device security offerings in the Middle East. The announcement comes on the heels of Dubai's second digital ...
11 months ago Darkreading.com
Anti-Fraud Project Boosts Security of African, Asian Financial Systems - A nonprofit has launched the first open source platform aimed at delivering sophisticated anti-fraud capabilities to financial systems in Africa as well as parts of Asia and the Middle East. The Tazama open source project is real-time financial ...
8 months ago Darkreading.com
Mideast Oil & Gas Facilities Could Face Cyber-Related Energy Disruptions - Middle East oil and gas operators will need to be vigilant about the risk of cyberattacks as the Israel-Gaza conflict continues, security experts warn, or else risk energy supply disruption globally. A recent report by S&P Global Ratings found that ...
1 year ago Darkreading.com
What CIRCIA Means for Critical Infrastructure Providers and How Breach and Attack Simulation Can Help - Cyber Defense Magazine - To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, ...
2 months ago Cyberdefensemagazine.com
Cybersecurity Performance Goals: Assessing How CPGs Help Organizations Reduce Cyber Risk - In October 2022, CISA released the Cybersecurity Performance Goals to help organizations of all sizes and at all levels of cyber maturity become confident in their cybersecurity posture and reduce business risk. Earlier this summer, CISA outlined ...
1 year ago Cisa.gov
Secure Workload and Secure Firewall: The recipe for a robust zero trust cybersecurity strategy - You hear a lot about zero trust microsegmentation these days and rightly so. While a host-based enforcement approach is immensely powerful because it provides access to rich telemetry in terms of processes, packages, and CVEs running on the ...
11 months ago Feedpress.me
Digital Rights for LGBTQ+ People: 2023 Year in Review - An increase in anti-LGBTQ+ intolerance is impacting individuals and communities both online and offline across the globe. Throughout 2023, several countries sought to pass explicitly anti-LGBTQ+ initiatives restricting freedom of expression and ...
11 months ago Eff.org
Understanding the New SEC Rules for Disclosing Cybersecurity Incidents - The U.S. Securities and Exchange Commission recently announced its new rules for public companies regarding cybersecurity risk management, strategy, governance, and incident exposure. "Currently, many public companies provide cybersecurity disclosure ...
1 year ago Feeds.dzone.com
Investing in Africa's Clean Energy Transition - Among our vision, we see the transition to clean energy not just as a necessity, but as a catalyst for inclusive growth and digital innovation. Africa's energy landscape is confronting a critical shortfall, with roughly 600 million people in ...
11 months ago Feedpress.me
Attacks Against South African ICS and IoT Systems Steadily Decrease - Twenty-two percent of industrial control systems in South Africa were targeted with cyberattacks in the third quarter of 2023. Kaspersky's ICS CERT said last week it detected and blocked the attacks. On the upside, the numbers show a slight decrease ...
1 year ago Darkreading.com
Best Paid and Free OSINT Tools for 2024 - Open Source Intelligence tools are software applications or platforms used to collect, analyze, and interpret publicly available information from various online sources, aiding in investigations, research, and intelligence gathering. These OSINT ...
7 months ago Hackread.com
How Healthcare Organizations can use ASPM to Fill CSPM Coverage Gaps and Save Money - In recent years, healthcare organizations have increasingly moved their healthcare information systems applications and infrastructure to the cloud to take advantage of its scalability, flexibility and cost-effectiveness. To mitigate these risks, ...
10 months ago Securityboulevard.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)