Fake Google Update and Microsoft One Drive binaries used in malicious attacks

Organizations in the government, real estate, telecommunications, retail, and other sectors across the U.S., Africa, and the Middle East have been subjected to intrusions under the new CL-STA-0002 threat cluster, which included the deployment of the novel Agent Racoon backdoor, custom Mimikatz variant Mimilite, and the new Ntospy utility, according to The Hacker News. Aside from enabling command execution, Agent Racoon, which masquerades as binaries of Google Update and Microsoft OneDrive Updater, could also facilitate file uploads and downloads, a report from Palo Alto Networks' Unit 42 showed. On the other hand, Ntospy leverages a custom DLL module to enable credential exfiltration to a remote server. Threat actors using the attack toolset compromised both emails and Roaming Profiles from Microsoft Exchange Server instances. "While the attackers commonly used Ntospy across the affected organizations, the Mimilite tool and the Agent Racoon malware have only been found in nonprofit and government-related organizations' environments," said researcher Chema Garcia.