Organizations in the government, real estate, telecommunications, retail, and other sectors across the U.S., Africa, and the Middle East have been subjected to intrusions under the new CL-STA-0002 threat cluster, which included the deployment of the novel Agent Racoon backdoor, custom Mimikatz variant Mimilite, and the new Ntospy utility, according to The Hacker News.
Aside from enabling command execution, Agent Racoon, which masquerades as binaries of Google Update and Microsoft OneDrive Updater, could also facilitate file uploads and downloads, a report from Palo Alto Networks' Unit 42 showed. On the other hand, Ntospy leverages a custom DLL module to enable credential exfiltration to a remote server. Threat actors using the attack toolset compromised both emails and Roaming Profiles from Microsoft Exchange Server instances. "While the attackers commonly used Ntospy across the affected organizations, the Mimilite tool and the Agent Racoon malware have only been found in nonprofit and government-related organizations' environments," said researcher Chema Garcia.
Malicious updates have been recently issued to the Python Package Index package "django-log-tracker," which was last modified in April 2022, to facilitate the distribution of the Nova Sentinel information-stealing malware, The Hacker News reports.