Agent Racoon wreaks havoc on US, Middle East & Africa

Dec 04 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that sacrifices more cybercriminals than #Napoleon sacrifices French troops ๐Ÿ‘€๐Ÿ’€ We couldnโ€™t Joaquin it! ๐Ÿ™ˆ

Todayโ€™s hottest cybersecurity news stories:ย 

  • ๐Ÿฆ Agent Racoon wreaks havoc on US, Middle East & Africa ๐ŸŒŽ

  • ๐Ÿฆ† Qakbot bites the dust: mitigations & protections commence ๐Ÿ›ก๏ธ

  • ๐Ÿ‘ป FjordPhantom Android malware attacks banks in SE Asia ๐Ÿœ

Itโ€™s the worst weโ€™ve seen in a โ€˜coonโ€™s age ๐Ÿ˜

๐ŸŒ Cybersecurity Alert: New Threat Targeting Organisations in the Middle East, Africa, and the U.S. ๐Ÿšจ

๐Ÿ” The Threat: An unidentified threat actor is spreading a new backdoor named Agent Racoon, employing the .NET framework and DNS protocol to create a hidden channel. Targets include education, real estate, retail, non-profits, telecom, and government sectors, suggesting a potential nation-state involvement.

๐Ÿ›ก๏ธ Cybersecurity Response: Palo Alto Networks Unit 42, in their analysis, tracks this threat under CL-STA-0002. The attack methods and defence evasion techniques point to sophisticated nation-state alignment.

๐Ÿ“… Timeline and Breach Details: The exact timeline and breach methods remain unclear. The malware, disguised as Google Update and Microsoft OneDrive Updater binaries, allows for command execution, file uploading, and downloading.

๐Ÿ’ป Tools Deployed: Apart from Agent Racoon, the adversary deploys tools like Mimilite and Ntospy. Ntospy, a custom DLL module, steals credentials to a remote server.

๐Ÿ” Command-and-Control Infrastructure: The C2 infrastructure has been active since August 2020. Evidence indicates successful data exfiltration from Microsoft Exchange Server environments, including email theft and Roaming Profile harvesting.

๐Ÿ‘พ Conclusion: Despite the evidence of data theft, the threat actor remains unidentified, and the tool set is not tied to a specific actor or campaign, raising concerns about potential future attacks.

Stay vigilant, update your security protocols, and monitor for any suspicious activity. ๐Ÿš€

Your info is on the dark web

Every day, data brokers profit from your sensitive infoโ€”phone number, DOB, SSNโ€”selling it to the highest bidder. And whoโ€™s buying it? Best case: Companies targeting you with ads. Worst case: Scammers and identity thieves.

It's time you check out Incogni. It scrubs your personal data from the web, confronting the worldโ€™s data brokers on your behalf. And unlike other services, Incogni helps remove your sensitive information from all broker types, including those tricky People Search Sites.

Help protect yourself from identity theft, spam calls, and health insurers raising your rates. Plus, just for our readers: Get 60% off the Incogni annual plan at this link with code PRIVACY.

Duck, Duck, Qak ๐Ÿฆ†

๐Ÿšจ Breaking News: DOJ and FBI Collaborate to Dismantle Qakbot Threat ๐ŸŒ

๐Ÿ”’ Takedown Success: The U.S. Department of Justice and the FBI joined forces in a global operation to dismantle the Qakbot malware and botnet. However, concerns linger as Qakbot may still pose a risk in a reduced form.

๐ŸŒ Global Impact: The malware infected 700,000 devices globally, with 200,000 in the U.S. Recent reports suggest Qakbot remains active, albeit weakened.

๐Ÿšซ Limitations of Takedown: While the operation removed Qakbot from compromised devices, the absence of arrests means threat actors continue operating, posing an ongoing danger.

๐Ÿ” Mitigations for Protection: FBI and CISA recommend multi-factor authentication, employee training, software updates, strong passwords, network traffic filtering, recovery plans, and adherence to the "3-2-1" backup rule.

๐Ÿ›ก๏ธ Checking for Past Infections: The DOJ recovered 6.5 million stolen credentials. Check your status using tools like Have I Been Pwned, Check Your Hack, and the World's Worst Passwords List.

๐ŸŒ Stay Informed: While the takedown is a milestone, vigilance is crucial. BlackBerry's CylanceENDPOINT solution is recommended for protection.

๐Ÿ”— Resources: For more details and mitigation resources, visit the DOJ's Qakbot resources page.

๐Ÿ‘๏ธโ€๐Ÿ—จ๏ธ Conclusion: Despite the takedown, the threat landscape is complex. Stay vigilant, implement security measures, and explore recommended solutions to thwart potential Qakbot resurgence. ๐Ÿ”’ย 

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

๐Ÿƒย The Motley Fool: โ€œFool me once, shame on โ€” shame on you. Fool me โ€” you can't get fooled again.โ€ Good olโ€™ George Dubya ๐Ÿ˜‚ Let us tell whoโ€™s not fooling around though; thatโ€™s the Crรผe ๐Ÿ‘€ at Motley Fool. Youโ€™d be a fool (alright, enough already! ๐Ÿ™ˆ) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ๐Ÿ› Kidding aside, if you check out their website theyโ€™ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ๐Ÿค‘ย (LINK)

๐Ÿšตย Wander: Find your happy place. Cue Happy Gilmore flashback ๐ŸŒ๏ธโ›ณ๐ŸŒˆ๐Ÿ•Š๏ธ Mmmm Happy Placeโ€ฆ ๐Ÿ˜‡ So, weโ€™ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, itโ€™s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ๐Ÿž๏ธ๐Ÿ˜ย (LINK)

๐ŸŒŠย Digital Ocean: If you build it they will come. Nope, weโ€™re not talking about a baseball field for ghosts โšพ๐Ÿ‘ป๐Ÿฟ (Great movie, to be fair ๐Ÿ™ˆ). This is the Digital Ocean whoโ€™ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website youโ€™ll find yourself catching the buzz even if you canโ€™t code (guilty ๐Ÿ˜‘). But if you can and youโ€™re looking for somewhere to test things out or launch something new or simply enhance what youโ€™ve got, weโ€™d recommend checking out their services foโ€™ sho ๐Ÿ˜‰ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ๐ŸŒฟย (LINK)

Can you affjord to take any chances? ๐Ÿ˜ฌ

๐Ÿšจ Alert: New Android Malware – FjordPhantom Strikes Southeast Asia! ๐Ÿ“ฑ

๐ŸŒ Threat Overview: Cybersecurity experts unveil FjordPhantom, a sophisticated Android malware targeting users in Southeast Asian nations like Indonesia, Thailand, and Vietnam since September 2023.

๐Ÿค– Infiltration Tactics: The malware spreads through messaging services, employing app-based malware and social engineering to deceive banking customers. Victims are tricked into downloading a fake banking app via email, SMS, or messaging apps.

๐Ÿ•ต๏ธโ€โ™‚๏ธ Social Engineering Twist: FjordPhantom employs a telephone-oriented attack delivery (TOAD) technique. Victims receive step-by-step instructions by calling a bogus call centre after downloading the deceptive app.

๐Ÿ”’ Virtualization Stealth: What makes FjordPhantom unique is its use of virtualization, breaking Android's sandbox protections. This allows the malware to access sensitive data without requiring root access, injecting code into applications discreetly.

๐Ÿ’ก How It Works: The malware loads a virtual container with a malicious module and the target bank's legitimate app. It alters key APIs to grab sensitive information programmatically, avoiding detection.

๐Ÿ›ก๏ธ Protection Measures: Google emphasises that Google Play Protect warns or blocks malicious apps, providing a layer of defence against FjordPhantom.

๐ŸŒ Modular Threat: FjordPhantom adapts its attacks based on the embedded banking app, making it a versatile threat targeting various banking apps.

๐Ÿ”— Stay Secure: Be cautious with app downloads, even outside Google Play. Stay informed about emerging threats to protect your devices! ๐Ÿ›‘๐Ÿš€

๐Ÿ—ž๏ธ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Libby Copa:ย The Rebel Newsletter helps writers strengthen their writing and creative practice, navigate the publishing world, and turn their art into an act of rebellion.

  • Techspresso:ย Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles