unit42.paloaltonetworks.com
Open in
urlscan Pro
23.56.206.30
Public Scan
URL:
https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/
Submission: On January 16 via api from DE — Scanned from DE
Submission: On January 16 via api from DE — Scanned from DE
Form analysis 2 forms found in the DOM
Name: Unit42_Subscribe — POST https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json
<form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate="" class="subscribe-form py-25" name="Unit42_Subscribe">
<input type="hidden" name="emailFormMask" value="">
<input type="hidden" value="1086" name="formid">
<!-- <input type="hidden" value="818-CZC-273" name="munchkinId"> -->
<input type="hidden" value="531-OCS-018" name="munchkinId">
<input type="hidden" value="2141" name="lpId">
<input type="hidden" value="1203" name="programId">
<input type="hidden" value="1086" name="formVid">
<input type="hidden" name="mkto_optinunit42" value="true">
<input type="hidden" name="mkto_opt-in" value="true">
<div class="row">
<div class="col-sm col-12 mb-sm-0 mb-15">
<input type="email" name="Email" placeholder="Email address" class="subscribe-field d-block w-100 px-sm-25 px-15 bg-white" aria-label="Email">
<p class="error-mail d-none mt-15 text-danger" style="color: #dc3545">Please enter your email address!</p>
</div>
<div class="col-sm-auto col-12">
<input type="submit" value="Subscribe" class="btn btn--black btn--sm w-100" disabled="disabled">
</div>
</div>
<div class="google-recapth mt-15">
<div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o">
<div style="width: 304px; height: 78px;">
<div><iframe title="reCAPTCHA" width="304" height="78" role="presentation" name="a-qgi0p2pshxd4" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o&co=aHR0cHM6Ly91bml0NDIucGFsb2FsdG9uZXR3b3Jrcy5jb206NDQz&hl=de&v=Ya-Cd6PbRI5ktAHEhm9JuKEu&size=normal&cb=xws2jawtq3b6"></iframe>
</div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response" style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"
aria-label="recaptcha"></textarea>
</div><iframe style="display: none;"></iframe>
</div>
<p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Please mark, I'm not a robot!</p>
</div>
</form>POST
<form method="post">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="9c96fce89e"><input type="hidden" name="_wp_http_referer" value="/new-toolset-targets-middle-east-africa-usa/">
</form>Text Content
Menu
* Tools
* ATOMs
* Security Consulting
* About Us
* Under Attack?
*
* About Unit 42
* Services
Services
Assess and Test Your Security Controls
* Attack Surface Assessment
* Breach Readiness Review
* BEC Readiness Assessment
* Compromise Assessment
* Cyber Risk Assessment
* M&A Cyber Due Diligence
* Penetration Testing
* Purple Team Exercises
* Ransomware Readiness Assessment
* SOC Assessment
* Supply Chain Risk Assessment
* Tabletop Exercises
* Unit 42 Retainer
Transform Your Security Strategy
* IR Plan Development and Review
* Security Program Design
* Virtual CISO
Respond in Record Time
* Cloud Incident Response
* Digital Forensics
* Incident Response
* Managed Detection and Response
* Managed Threat Hunting
* Unit 42 Retainer
UNIT 42 RETAINER
Custom-built to fit your organization's needs, you can choose to allocate
your retainer hours to any of our offerings, including proactive cyber risk
management services. Learn how you can put the world-class Unit 42 Incident
Response team on speed dial.
Learn more
* Unit 42 Threat Research
Unit 42 Threat Research
Unit 42 Threat Research
* Threat Briefs and Assessments
Details on the latest cyber threats
* ATOMs
Intelligence-driven security recommendations
* Tools
Lists of public tools released by our team
* Threat Reports
Downloadable, in-depth research reports
THREAT REPORT
2022 Incident Response Report: Understand today’s attacks to prevent future
threats
Read it now
THREAT BRIEF
Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats
Including DDoS, HermeticWiper, Gamaredon, Website Defacement
Learn more
THREAT REPORT
Highlights from the Unit 42 Cloud Threat Report, Volume 6
Learn more
* Partners
Partners
Partners
* Threat Intelligence Sharing
* Law Firms and Insurance Providers
* Threat Intel Bulletin
THREAT REPORT
2022 Unit 42 Ransomware Threat Report: Understand trends and tactics to
bolster defenses
Learn more
THREAT BRIEF
Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats
Including DDoS, HermeticWiper, Gamaredon, Website Defacement
Learn more
THREAT BRIEF
Operation Falcon II: Unit 42 Helps Interpol Identify Nigerian Business Email
Compromise Ring Members
Learn more
* Resources
Resources
Resources
* Research Reports
* Webinars
* Customer Stories
* Datasheets
* Videos
* Infographics
* Whitepapers
* In the News
* Cyberpedia
Industries
* Financial Services
* Healthcare
* Manufacturing
THREAT REPORT
2023 Unit 42 Ransomware and Extortion Report: Get the latest multi-extortion
trends and insights to keep your organization protected.
Learn more
RESEARCH REPORT
Gartner Market Guide for Digital Forensics and Incident Response Services
Learn more
*
* Under Attack?
Search
All
* Tech Docs
Close search modal
NEW TOOL SET FOUND USED AGAINST ORGANIZATIONS IN THE MIDDLE EAST, AFRICA AND THE
US
* 11,125
people reacted
*
* 46
* 14 min. read
Share
By Chema Garcia
December 1, 2023 at 3:00 AM
Category: Malware
Tags: .NET Framework, Advanced URL Filtering, Advanced WildFire, Agent Raccoon,
backdoor, CL-STA-0002, CL-STA-0043, Cortex XDR, DNS, DNS security, Mimikatz,
Mimilite, Ntospy
This post is also available in: 日本語 (Japanese)
EXECUTIVE SUMMARY
Unit 42 researchers observed a series of apparently related attacks against
organizations in the Middle East, Africa and the U.S. We will discuss a set of
tools used in the course of the attacks that reveal clues about the threat
actors’ activity. We are sharing this research to provide detection, prevention
and hunting recommendations to help organizations strengthen their overall
security posture.
These tools were used to perform the following activities:
* Establish backdoor capabilities
* For command and control (C2)
* Steal user credentials.
* Exfiltrate confidential information
Unit 42 is sharing these results with the purpose of helping organizations
defend against the tools observed here.
We assess with medium confidence that this threat activity cluster aligns to
nation-state related threat actors due to the nature of the organizations that
were compromised, the TTPs observed and the customization of the tool set. We
have not confirmed a particular nation-state or threat group.
Tools that were used in this cluster were the following:
* A new backdoor we’ve named Agent Racoon
* This malware family is written using the .NET framework and leverages the
domain name service (DNS) protocol to create a covert channel and provide
different backdoor functionalities. Threat actors have used this along with
the other two tools in multiple attacks targeting organizations across the
U.S., Middle East and Africa. Its C2 infrastructure dates back to 2020.
* A new tool we’ve named Ntospy
* This malware is a Network Provider DLL module designed to steal user
credentials.
* A customized version of Mimikatz called Mimilite
The compromised organizations belong to the following industries:
* Education
* Real estate
* Retail
* Non-profit organizations
* Telecom companies
* Governments
Based on unique similarities in tools as well as tactics, techniques and
procedures (TTPs), we are tracking this threat activity cluster as CL-STA-0002.
What follows is a detailed description of the activity we observed as well as
characteristics of the tool set.
Palo Alto Networks customers receive protection from these threats through
Cortex XDR as well as Advanced URL Filtering, DNS Security and Advanced
Wildfire. Organizations can engage the Unit 42 Incident Response team for
specific assistance with this threat and others.
Related Unit 42 Topics DNS, Mimikatz, Backdoor
TABLE OF CONTENTS
Activity Summary
Gaining Access to Credentials with Ntospy
Credentials Dumping Through Mimilite
Agent Racoon Backdoor
Data Exfiltration
Conclusion
Indicators of Compromise
Additional Resources
ACTIVITY SUMMARY
The threat actor used temporary directories such as C:\Windows\Temp and C:\Temp
to deploy specific components of their tool set across the different affected
organizations. They used the following similar filenames for batch and
PowerShell scripts:
* c:\windows\temp\crs.ps1
* c:\windows\temp\ebat.bat
* c:\windows\temp\install.bat
* c:\windows\temp\mslb.ps1
* c:\windows\temp\pb.ps1
* c:\windows\temp\pb1.ps1
* c:\windows\temp\pscan.ps1
* c:\windows\temp\set_time.bat
* c:\windows\temp\usr.ps1
While the attackers commonly used Ntospy across the affected organizations, the
Mimilite tool and the Agent Racoon malware have only been found in nonprofit and
government-related organizations’ environments.
After each attack session, the threat actor leveraged cleanmgr.exe to clean up
the environment used during the session.
GAINING ACCESS TO CREDENTIALS WITH NTOSPY
To perform credential theft, the threat actor used a custom DLL module
implementing a Network Provider. A Network Provider module is a DLL component
implementing the interface provided by Microsoft to support additional types of
network protocols during the authentication process.
This technique is pretty well documented. Sergey Polak demonstrated the
technique at BlackHat back in 2004 at his session titled “Capturing Windows
Passwords using the Network Provider API.” In 2020, researcher Grzegorz Tworek
uploaded his tool NPPSpy to GitHub, which also implements this technique.
Due to the file naming patterns of the DLL module, and as a reference to the
previous research and tools, Unit 42 researchers named this malware family
Ntospy. The threat actor registers the Ntospy DLL module as a Network Provider
module to hijack the authentication process, to get access to the user
credentials every time the victim attempts to authenticate to the system.
Figure 1 illustrates the path of the processes the malware used during the
authentication process to load the malicious DLL module in an MS Exchange Server
environment.
Figure 1. Image path of processes loading the malicious DLL component in an MS
Exchange environment.
The threat actor’s implementation of this technique has some unique features.
They created different versions of the Ntospy malware over the time frame we
observed. They all share similarities, such as the following:
* Using filenames with Microsoft patch patterns.
* .msu extensions pretending to be Microsoft Update Package files to store the
received credentials in cleartext.
* RichPE header hashes that link different samples to the same compilation
environment.
To install the DLL module, the threat actor registers a new Network Provider
called credman. They do so by using an installation script found at
C:\Windows\Temp\install.bat that installs the Network Provider by using reg.exe.
The malware then sets the DLL module path by pointing to the malicious DLL
module c:\windows\system32\ntoskrnl.dll.
Figure 2 shows static commonalities across the different DLL modules we
identified as belonging to the same malware family. The image also illustrates
that there are overlaps on the RichPE header hash as well as the PE sections of
the samples.
Figure 2. Graph of static features relation across samples.
In the group of samples with the same RichPE header hash, we saw that they had
been compiled using the same environment. In this case, that was Visual Studio
2019 v16.0.0 build 27508. Other samples of the malware family have been compiled
on different environments or even tweaked to avoid overlapping.
The samples that don’t share the same build environment are actually similar in
behavior, but they have some differences in implementation. For instance, some
of the malware samples contain the file path used to store the credentials
hard-coded in plain text. Figures 3 and 4 show how others use an encrypted file
path and stack strings.
Figure 3. Pseudocode showing the hard-coded file path in cleartext. Figure 4.
Pseudocode showing the file path encrypted with a stream cipher.
Decrypting the file path at runtime shows that the versions using an encrypted
file path also use the same file path pattern, as shown in Figure 5.
Figure 5. File path decrypted at runtime.
All the DLL modules we identified use the same file path pattern, abusing the
.msu file extension to masquerade as a Microsoft Update Package. The following
paths are used by the malware samples:
* c:/programdata/microsoft/~ntuserdata.msu
* c:/programdata/package cache/windows10.0-kb5000736-x64.msu
* c:/programdata/package cache/windows10.0-kb5009543-x64.msu
* c:/programdata/packag~1/windows 6.1-kb4537803.msu
Also, the DLL files are stored in the following file paths:
* C:\Windows\System32\ntoskrnl.dll
* C:\Windows\Temp\ntoskrnl.dll
* C:\Windows\Temp\ntos.dll
While the first file path is the one used to actually install the Network
Provider module, the Temp directory is the working directory used by the threat
actor to temporarily store the DLL modules. As shown in the file paths above,
the threat actor used Windows binary name patterns (based on the Windows system
file named ntoskrnl.exe) in an attempt to trick victims and analysts into
overlooking the malicious DLL component.
The first activity is identified with the malware sample with the file hash
SHA256 bcd2bdea2bfecd09e258b8777e3825c4a1d98af220e7b045ee7b6c30bf19d6df. This
overlaps with another threat activity cluster that we call CL-STA-0043,
originally published in June 2023.
CREDENTIALS DUMPING THROUGH MIMILITE
Another tool used for gathering credentials and sensitive information is a
customized version of the well-known Mimikatz tool that, according to references
within the sample, the threat actor calls Mimilite.
The tool is a reduced version of Mimikatz, which needs to be given a password
through the command line to run:
C:\temp\update.exe 1dsfjlosdf23dsfdfr
1
C:\temp\update.exe 1dsfjlosdf23dsfdfr
When the binary is executed, it takes the command-line argument as a decryption
key to decrypt the actual payload using a stream cipher. Before executing the
decrypted payload, the binary verifies that the payload has been successfully
decrypted with the right key by performing an integrity check. This check is
done by comparing the MD5 hash of the decrypted payload with the hard-coded
value b855dfde7f778f99a3724802715a0baa, as shown in the code snippet in Figure
6.
Figure 6. Execution logic.
When executed properly, the tool dumps the credentials to the file path
C:\Windows\Temp\KB200812134.txt. This choice of filename is another attempt by
the threat actors to masquerade as a Microsoft update.
The Mimilite sample was found at C:\temp\update.exe with the file hash SHA256
3490ba26a75b6fb295256d077e0dbc13e4e32f9fd4e91fb35692dbf64c923c98. It was first
uploaded to VirusTotal on 2020-05-11 05:43:00 UTC and first identified in the
wild on 2021-02-12 21:54:35 UTC. What we find interesting is that according to
VirusTotal, this sample has been uploaded and discovered in the wild using the
following path and filename:
C:\restrict\analysis\apt_sorted\attack_case\[REDACTED_LOCATION]\[REDACTED_COUNTRY_ISO_CODE]-computers\blobloader\3490ba26a75b6fb295256d077e0dbc13e4e32f9fd4e91fb35692dbf64c923c98
update.exe
1
2
3
C:\restrict\analysis\apt_sorted\attack_case\[REDACTED_LOCATION]\[REDACTED_COUNTRY_ISO_CODE]-computers\blobloader\3490ba26a75b6fb295256d077e0dbc13e4e32f9fd4e91fb35692dbf64c923c98
update.exe
The elements of this path might suggest that the same binary has been involved
in some sort of research that the uploader believed was linked with nation-state
actors.
AGENT RACOON BACKDOOR
The Agent Racoon malware family is built to provide backdoor capabilities. It is
written using the .NET framework, and leverages DNS to establish a covert
channel with the C2 server. Unit 42 researchers named the malware family Agent
Racoon due to some references found within the code of the identified samples,
as shown in Figure 7.
Figure 7. .NET Project details.
When executed, the threat has some predefined settings such as:
* The base domain used to create the DNS covert channel
* A unique key per sample, used as a seed to generate an encryption password to
encrypt the DNS communication
* A fallback DNS server if no DNS server can be read from the compromised
system
All the C2 domains identified fulfill the same base pattern, with unique values
for the four character identifier across different samples:
[4 characters].telemetry.[domain].com
The value of Program.dns_ip is different for each sample found, which could
indicate that the threat actor is building the binary with specific settings
gathered from the targeted environment.
Figure 8. Main function of the malware sample.
With that pattern, the threat communicates with the C2 server by adding
additional subdomains to build the DNS query. It uses Internationalizing Domain
Names for Applications’ (IDNA) domain names with Punycode encoding. This
encoding type is a representation of Unicode values over the ASCII encoding for
internet hostnames.
The domain names follow the pattern below:
[random_val].a.[4 characters].telemetry.[domain].com
The screenshot from Wireshark in Figure 9 illustrates a complete DNS query:
Figure 9. Sample DNS query.
To manage the communication with the C2 server, the malware uses a communication
loop shown in Figure 10.
Figure 10. Communication loop.
The following are some main features of the communication loop above:
* The communication loop finishes when the answer xn--cc is received from the
C2 server, or a communication error occurs.
* The randomized delay between messages can have multiple reasons:
* To avoid network spikes.
* To avoid potential network congestion.
* To provide randomness as an attempt to avoid network beaconing detection.
* The encryption of all the communication messages through Program.Util.RC.
The encryption routine implements a stream cipher that takes the initial unique
key per sample Program.key (this.defaultkey), as shown in Figure 11. It then
creates a 1-byte encryption key to later encrypt the message with an XOR.
Figure 11. Stream cipher routine.
Depending on the length of the message sent to the C2 server, different
subdomains are added to the query, as shown in the code snippet in Figure 12.
Figure 12. Partial request crafting.
The this.Rand() component of the fully qualified domain name (FQDN) build is
intended to avoid caching and ensure the request reaches out to the C2 server.
Agent Racoon provides the following backdoor functionality:
* Command execution
* File uploading
* File downloading
Although Agent Racoon does not provide any sort of persistence mechanism by
itself, during the activity we observed, the threat was executed by using
scheduled tasks.
Unit 42 researchers discovered the following samples using different subdomains
of telemetry.geoinfocdn[.]com, as shown in Figure 13. The domain
geoinfocdn[.]com was registered on 2022/08/19 UTC for one year.
Figure 13. Samples linked with file path and base C2 domain.
Unit 42 researchers were able to track the Agent Racoon malware family back to
July 2022. Two samples of the malware family were uploaded to VirusTotal from
Egypt and Thailand in September 2022 and July 2022 with the following SHA256
hashes:
* 3a2d0e5e4bfd6db9c45f094a638d1f1b9d07110b9f6eb8874b75d968401ad69c
* dee7321085737da53646b1f2d58838ece97c81e3f2319a29f7629d62395dbfd1
These two samples used the same subdomain patterns, but this time the domain
used for C2 was telemetry.geostatcdn[.]com. Threat actors performed the
following activities regarding this domain on the dates shown:
* Registered: 2020/08/27 UTC
* First seen in the wild: 2021/06/17 23:10:58 UTC
* Renewed: 2021/08/18 UTC
* Expired: 2022/08/27 UTC
Figure 14 shows that with this information, two groups of malware samples can be
identified using different C2 domain names and file paths since 2020.
Figure 14. Malware samples identified.
The threat actor tried to disguise the Agent Racoon binary as Google Update and
MS OneDrive Updater binaries.
The malware developers made small modifications to the source code in an attempt
to evade detection. Some samples used a domain hard-coded in plain text to
establish the DNS covert channel (as shown in Figure 15), whereas other samples
used a Base64 encoded string.
Figure 15. Base64 encoded C2 domain.
Aside from the Base64 feature, the differences are in the settings and not in
the actual source code, except for the sample with SHA256 hash
354048e6006ec9625e3e5e3056790afe018e70da916c2c1a9cb4499f83888a47.
This sample has a compilation timestamp that was modified and is outside the
time frame of activity: 2075/02/23 08:12:59 UTC.
As shown in Figure 16, the threat actor also tried to obfuscate the constant
cmd.exe to avoid signature-based detections. They did so by using the equivalent
Base64 encoded value with the added constant 399 so the equivalent Base64
encoded string can’t be detected through signatures.
Figure 16. Obfuscated cmd.exe pattern.
DATA EXFILTRATION
Unit 42 researchers also identified the collection and successful exfiltration
of confidential information, such as emails from MS Exchange environments, using
PowerShell snap-ins to dump the emails.
In the search criteria from the command above, the threat actor used similar
commands to search through different folders, mailboxes and dates to dump those
emails.
After dumping the emails, the threat actor tried to compress the .pst file with
a command-line RAR tool before exfiltrating it:
However, the threat actor canceled the attempt to compress the .pst file by
using the tool taskkill.exe approximately eight minutes later.
Eventually the threat actor discarded the usage of raren.exe and simply renamed
the .pst file, moving it to the IIS root directory and mimicking an error log in
a compressed file to download it through the web server.
And finally, the ai.pst file is removed.
This process is repeated for several mailboxes with different search criteria.
In addition to the email exfiltration, Unit 42 researchers identified
exfiltration of the victim’s Roaming Profile. A Roaming Profile is used to serve
the same profile to the user when logging in from different computers from the
same Active Directory environment.
To exfiltrate this, the threat actor compressed the directory by using the
standalone version of the 7-Zip tool (which they dropped into the system using
certutil.exe), and split the compressed file into chunks of 100 MB.
Later, following the same procedure, the threat actor exfiltrated the content.
CONCLUSION
Our hope in sharing the descriptions of this tool set is that readers can use
this information to search their networks to identify other possible attacks
using these tools. This tool set is not yet associated with a specific threat
actor, and not entirely limited to a single cluster or campaign.
As mentioned at the beginning of this article, we found an overlapping Ntospy
sample with SHA256
bcd2bdea2bfecd09e258b8777e3825c4a1d98af220e7b045ee7b6c30bf19d6df with a
previously identified threat activity cluster CL-STA-0043. However, the overlaps
are not limited to that sample.
We have also identified two compromised organizations in common across both
activity clusters. Some of the TTPs match on both clusters, such as the MS
Exchange PowerShell snap-ins and one of the Network Provider DLL modules.
Unit 42 researchers believe this threat activity cluster aligns with medium
confidence to nation-state related threat actors for the following reasons:
* The detection and defense evasion techniques used
* The exfiltration activity observed
* The victimology
* The customization level of the tools used
* The TTPs observed
Palo Alto Networks customers receive protections from the threats discussed
above through the following products:
* Cortex XDR includes detections and protections related to the IoCs shared in
this research
* Advanced URL Filtering and DNS Security blocks related C2 domains as
malicious
* The Advanced WildFire machine-learning models and analysis techniques have
been reviewed and updated in light of the IoCs shared in this research
If you think you may have been compromised or have an urgent matter, get in
touch with the Unit 42 Incident Response team or call:
* North America Toll-Free: 866.486.4842 (866.4.UNIT42)
* EMEA: +31.20.299.3130
* APAC: +65.6983.8730
* Japan: +81.50.1790.0200
Palo Alto Networks has shared these findings with our fellow Cyber Threat
Alliance (CTA) members. CTA members use this intelligence to rapidly deploy
protections to their customers and to systematically disrupt malicious cyber
actors. Learn more about the Cyber Threat Alliance.
MITRE ATT&CK Mapping
During the research activity related to the tool set uncovered on this blog,
Unit 42 researchers identified a set of TTPs, which we’ve mapped to the MITRE
ATT&CK matrix in the table below.
ID Name T1003 OS Credential Dumping T1018 Remote System Discovery T1021.006
Remote Services: Windows Remote Management T1027.009 Obfuscated Files or
Information: Embedded Payloads T1030 Data Transfer Size Limits T1036.005
Masquerading: Match Legitimate Name or Location T1036.008 Masquerading:
Masquerade File Type T1041 Exfiltration Over C2 Channel T1046 Network Service
Discovery T1047 Windows Management Instrumentation T1053.005 Scheduled Task/Job:
Scheduled Task T1059.001 Command and Scripting Interpreter: PowerShell T1059.003
Command and Scripting Interpreter: Windows Command Shell T1070.004 Indicator
Removal: File Deletion T1070.006 Indicator Removal: Timestomp T1071.004
Application Layer Protocol: DNS T1074 Data Staged T1078.002 Valid Accounts:
Domain Accounts T1087.002 Account Discovery: Domain Account T1112 Modify
Registry T1114 Email Collection T1132.001 Data Encoding: Standard Encoding
T1136.002 Create Account: Domain Account T1140 Deobfuscate/Decode Files or
Information T1505.003 Server Software Component: Web Shell T1556.008 Modify
Authentication Process: Network Provider DLL T1560.001 Archive Collected Data:
Archive via Utility T1564.002 Hide Artifacts: Hidden Users T1570 Lateral Tool
Transfer T1573.001 Encrypted Channel: Symmetric Cryptography T1583.001 Acquire
Infrastructure: Domains T1583.002 Acquire Infrastructure: DNS Server T1587.001
Develop Capabilities: Malware
INDICATORS OF COMPROMISE
IoC Type Description
2632bcd0715a7223bda1779e107087964037039e1576d2175acaf61d3759360f SHA256
C:\Windows\Temp\install.bat
ae989e25a50a6faa3c5c487083cdb250dde5f0ecc0c57b554ab77761bdaed996 SHA256
C:\Windows\Temp\install.bat C:\Windows\Temp\install.bat File path Script to
install the Network Provider module c:/programdata/microsoft/~ntuserdata.msu
File path File to store the stolen user credentials
c:/programdata/packag~1/windows 6.1-kb4537803.msu File path File to store the
stolen user credentials c:/programdata/package
cache/windows10.0-kb5009543-x64.msu File path File to store stolen user
credentials c:/programdata/package cache/windows10.0-kb5000736-x64.msu File
path File to store stolen user credentials credman Network provider name Network
Provider name HKLM\SYSTEM\CurrentControlSet\Services\credman Registry key path
Registry path of the Network Provider c:\windows\system32\ntoskrnl.dll File path
Network Provider module file path C:\Windows\Temp\ntos.dll File path File path
used to temporarily store the DLL module C:\Windows\Temp\ntoskrnl.dll File path
File path used to temporarily store the DLL module
e30f8596f1beda8254cbe1ac7a75839f5fe6c332f45ebabff88aadbce3938a19 SHA256 Ntospy
DLL Module 1a4301019bdf42e7b2df801e04066a738d184deb22afcad9542127b0a31d5cfa
SHA256 Ntospy DLL Module
e7682a61b6c5b0487593f880a09d6123f18f8c6da9c13ed43b43866960b7aa8e SHA256 Ntospy
DLL Module 58e87c0d9c9b190d1e6e44eae64e9a66de93d8de6cbd005e2562798462d05b45
SHA256 Ntospy DLL Module
7eb901a6dbf41bcb2e0cdcbb67c53ab722604d6c985317cb2b479f4c4de7cf90 SHA256 Ntospy
DLL Module f45ea12579f636026d29009190221864f432dbc3e26e73d8f3ab7835fa595b86
SHA256 Ntospy DLL Module
bcd2bdea2bfecd09e258b8777e3825c4a1d98af220e7b045ee7b6c30bf19d6df SHA256 Ntospy
DLL Module C:\temp\update.exe File path Mimilite 1dsfjlosdf23dsfdfr Encryption
key Mimilite decryption key b855dfde7f778f99a3724802715a0baa MD5 Mimilite
payload hash 4351911f266eea8e62da380151a54d5c3fbbc7b08502f28d3224f689f55bffba
SHA256 Agent Racoon
e0748ce315037253f278f7f8f2820c7dd8827a93b6d22d37dafc287c934083c4 SHA256 Agent
Racoon baed169ce874f6fe721e0d32128484b3048e9bf58b2c75db88d1a8b7d6bb938d SHA256
Agent Racoon 3a2d0e5e4bfd6db9c45f094a638d1f1b9d07110b9f6eb8874b75d968401ad69c
SHA256 Agent Racoon
4351911f266eea8e62da380151a54d5c3fbbc7b08502f28d3224f689f55bffba SHA256 Agent
Racoon 354048e6006ec9625e3e5e3056790afe018e70da916c2c1a9cb4499f83888a47 SHA256
Agent Racoon dee7321085737da53646b1f2d58838ece97c81e3f2319a29f7629d62395dbfd1
SHA256 Agent Racoon geostatcdn[.]com Domain C2 telemetry.geostatcdn[.]com Domain
C2 fdsb.telemetry.geostatcdn[.]com Domain C2 dlbh.telemetry.geostatcdn[.]com
Domain C2 lc3w.telemetry.geostatcdn[.]com Domain C2
hfhs.telemetry.geostatcdn[.]com Domain C2 geoinfocdn[.]com Domain C2
telemetry.geoinfocdn[.]com Domain C2 g1sw.telemetry.geoinfocdn[.]com Domain C2
c:/windows/temp/onedriveupdater.exe File path Agent Racoon path
c:/windows/system32/msmdlb.exe File path Agent Racoon path
c:/windows/temp/onedriveupdater.exe File path Agent Racoon path c:/program files
(x86)/google/update/googleupdate.exe File path Agent Racoon path
c:\windows\temp\mslb.ps1 File path Script used to deploy the Agent Racoon
c:\windows\temp\set_time.bat File path Script used to perform timestomping
against additional tools c:\windows\temp\pscan.ps1 File path Script to scan the
network c:\windows\temp\crs.ps1 File path Helper script c:\windows\temp\usr.ps1
File path Helper script c:\windows\temp\pb.ps1 File path Helper script
c:\windows\temp\ebat.bat File path Helper script c:\windows\temp\pb1.ps1 File
path Helper script c:\windows\temp\raren.exe File path Command line RAR
aabbcc123 Password Password used to create the email archive
086a6618705223a8873448465717e288cf7cc6a3af4d9bf18ddd44df6f400488 SHA256
raren.exe file hash P@ssw0rd1 Password Password used to compress the user
profile directory Assistance$ Username User created for persistence Zaqwsx123
Password User created for persistence
ADDITIONAL RESOURCES
* It’s All in the Name: How Unit 42 Defines and Tracks Threat Adversaries –
Unit 42, Palo Alto Networks
* Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting
Governments in the Middle East and Africa – Unit 42, Palo Alto Networks
* NPPSpy - NPPSpy GitHub repository
* Capturing Windows Passwords using the Network Provider API - BlackHat 2004
* Network Provider API - Microsoft
* NPLogonNotify - Microsoft
* Roaming Profiles - Microsoft
GET UPDATES FROM
PALO ALTO
NETWORKS!
Sign up to receive the latest news, cyber threat intelligence and research from
us
Please enter your email address!
Please mark, I'm not a robot!
By submitting this form, you agree to our Terms of Use and acknowledge our
Privacy Statement.
POPULAR RESOURCES
* Resource Center
* Blog
* Communities
* Tech Docs
* Unit 42
* Sitemap
LEGAL NOTICES
* Privacy
* Terms of Use
* Documents
ACCOUNT
* Manage Subscriptions
*
* Report a Vulnerability
© 2024 Palo Alto Networks, Inc. All rights reserved.
This site uses cookies essential to its operation, for analytics, and for
personalized content and ads. Please read our privacy statement for more
information.Privacy statement
Cookies Settings Reject All Accept All
Your Opt Out Preference Signal is Honored
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information on cookie consent
Allow All
MANAGE YOUR CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Reject All Confirm My Choices