Hackers often target US organizations due to the country’s economic and technological dominance, seeking valuable data for the following purposes:-
- Financial gain
- Cyber espionage
- Geopolitical motivations,
- Desire to exploit technological vulnerabilities
The cybersecurity researchers at Unit 42 recently noted that hackers are actively attacking US organizations with the help of new hacking tools.
Besides the organizations based in the USA, hackers are also targeting organizations in the following countries:-
The new hacking tools that the hackers used were used to perform the following illicit activities:-
- Establish backdoor capabilities
- For command and control (C2)
- Steal user credentials
- Exfiltrate confidential information
Compromised Organizations’ Industries
Here below, we have mentioned all the compromised organizations that belonged to the following industries:-
- Education
- Real estate
- Retail
- Non-profit organizations
- Telecom companies
- Governments
New Set of Hacking Tools
Threat actors deployed tools in the following directories across organizations, using consistent filenames for batch and PowerShell scripts:-
Here below, we have mentioned all the similar filenames for batch and PowerShell scripts:-
- c:windowstempcrs.ps1
- c:windowstempebat.bat
- c:windowstempinstall.bat
- c:windowstempmslb.ps1
- c:windowstemppb.ps1
- c:windowstemppb1.ps1
- c:windowstemppscan.ps1
- c:windowstempset_time.bat
- c:windowstempusr.ps1
Attackers deployed the following tools and malware and after each session, the cleanmgr.exe was used to clear up the environment:-
- Ntospy (Used across the affected organizations)
- Mimilite (Limited to nonprofit and government-related organizations)
- Agent Racoon (Limited to nonprofit and government-related organizations)
To steal credentials, the threat actor utilized a custom DLL as a Network Provider module, a known technique documented since 2004.
Named Ntospy by Unit 42, the malware family hijacks the authentication process, accessing user credentials upon authentication attempts.
Threat actor installs the DLL module via credman Network Provider, using C:WindowsTempinstall.bat script with reg.exe.
Besides this, the DLL path is set to:-
- c:windowssystem32ntoskrnl.dll
Researchers linked DLL modules to the same malware family based on shared static traits like RichPE header hash and PE sections.
Samples with identical RichPE header hashes were compiled in the same environment. Even those with different build environments exhibit similar behavior but vary in implementation.
Threat actors use a customized Mimikatz tool named Mimilite for credentialing and data gathering.
The tool decrypts its payload using a command-line argument as a key, verifying integrity with an MD5 hash check before execution.
Dumped credentials are stored in C:WindowsTempKB200812134.txt, disguising the activity as a Microsoft update.
The .NET-based Agent Racoon malware creates a DNS covert channel for C2 communication, earning its name from embedded references discovered by Unit 42 researchers.
Here below, we have mentioned all the functionalities of Agent Racoon:-
- Command execution
- File uploading
- File downloading
Alongside email data, Unit 42 found Roaming Profile exfiltration. The threat actor compressed the directory using 7-Zip dropped via certutil.exe, splitting the file into 100 MB chunks for exfiltration.
Moreover, researchers have not yet associated this tool set with a specific threat actor or threat group.