Agent Racoon wreaks havoc on US, Middle East & Africa

Dec 04 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that sacrifices more cybercriminals than #Napoleon sacrifices French troops ???????? We couldn’t Joaquin it! ????

Today’s hottest cybersecurity news stories: 

  • ???? Agent Racoon wreaks havoc on US, Middle East & Africa ????

  • ???? Qakbot bites the dust: mitigations & protections commence ????️

  • ???? FjordPhantom Android malware attacks banks in SE Asia ????

It’s the worst we’ve seen in a ‘coon’s age ????

???? Cybersecurity Alert: New Threat Targeting Organisations in the Middle East, Africa, and the U.S. ????

???? The Threat: An unidentified threat actor is spreading a new backdoor named Agent Racoon, employing the .NET framework and DNS protocol to create a hidden channel. Targets include education, real estate, retail, non-profits, telecom, and government sectors, suggesting a potential nation-state involvement.

????️ Cybersecurity Response: Palo Alto Networks Unit 42, in their analysis, tracks this threat under CL-STA-0002. The attack methods and defence evasion techniques point to sophisticated nation-state alignment.

???? Timeline and Breach Details: The exact timeline and breach methods remain unclear. The malware, disguised as Google Update and Microsoft OneDrive Updater binaries, allows for command execution, file uploading, and downloading.

???? Tools Deployed: Apart from Agent Racoon, the adversary deploys tools like Mimilite and Ntospy. Ntospy, a custom DLL module, steals credentials to a remote server.

???? Command-and-Control Infrastructure: The C2 infrastructure has been active since August 2020. Evidence indicates successful data exfiltration from Microsoft Exchange Server environments, including email theft and Roaming Profile harvesting.

???? Conclusion: Despite the evidence of data theft, the threat actor remains unidentified, and the tool set is not tied to a specific actor or campaign, raising concerns about potential future attacks.

Stay vigilant, update your security protocols, and monitor for any suspicious activity. ????

Your info is on the dark web

Every day, data brokers profit from your sensitive info—phone number, DOB, SSN—selling it to the highest bidder. And who’s buying it? Best case: Companies targeting you with ads. Worst case: Scammers and identity thieves.

It's time you check out Incogni. It scrubs your personal data from the web, confronting the world’s data brokers on your behalf. And unlike other services, Incogni helps remove your sensitive information from all broker types, including those tricky People Search Sites.

Help protect yourself from identity theft, spam calls, and health insurers raising your rates. Plus, just for our readers: Get 60% off the Incogni annual plan at this link with code PRIVACY.

Duck, Duck, Qak ????

???? Breaking News: DOJ and FBI Collaborate to Dismantle Qakbot Threat ????

???? Takedown Success: The U.S. Department of Justice and the FBI joined forces in a global operation to dismantle the Qakbot malware and botnet. However, concerns linger as Qakbot may still pose a risk in a reduced form.

???? Global Impact: The malware infected 700,000 devices globally, with 200,000 in the U.S. Recent reports suggest Qakbot remains active, albeit weakened.

???? Limitations of Takedown: While the operation removed Qakbot from compromised devices, the absence of arrests means threat actors continue operating, posing an ongoing danger.

???? Mitigations for Protection: FBI and CISA recommend multi-factor authentication, employee training, software updates, strong passwords, network traffic filtering, recovery plans, and adherence to the "3-2-1" backup rule.

????️ Checking for Past Infections: The DOJ recovered 6.5 million stolen credentials. Check your status using tools like Have I Been Pwned, Check Your Hack, and the World's Worst Passwords List.

???? Stay Informed: While the takedown is a milestone, vigilance is crucial. BlackBerry's CylanceENDPOINT solution is recommended for protection.

???? Resources: For more details and mitigation resources, visit the DOJ's Qakbot resources page.

????️‍????️ Conclusion: Despite the takedown, the threat landscape is complex. Stay vigilant, implement security measures, and explore recommended solutions to thwart potential Qakbot resurgence. ???? 

???? Catch of the Day!! ????????????

???? The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can't get fooled again.” Good ol’ George Dubya ???? Let us tell who’s not fooling around though; that’s the Crüe ???? at Motley Fool. You’d be a fool (alright, enough already! ????) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ???? Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ???? (LINK)


???? Wander: Find your happy place. Cue Happy Gilmore flashback ????️⛳????????️ Mmmm Happy Place… ???? So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ????️???? (LINK)


???? Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ???????? (Great movie, to be fair ????). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty ????). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho ???? And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ???? (LINK)

Can you affjord to take any chances? ????

???? Alert: New Android Malware – FjordPhantom Strikes Southeast Asia! ????

???? Threat Overview: Cybersecurity experts unveil FjordPhantom, a sophisticated Android malware targeting users in Southeast Asian nations like Indonesia, Thailand, and Vietnam since September 2023.

???? Infiltration Tactics: The malware spreads through messaging services, employing app-based malware and social engineering to deceive banking customers. Victims are tricked into downloading a fake banking app via email, SMS, or messaging apps.

????️‍♂️ Social Engineering Twist: FjordPhantom employs a telephone-oriented attack delivery (TOAD) technique. Victims receive step-by-step instructions by calling a bogus call centre after downloading the deceptive app.

???? Virtualization Stealth: What makes FjordPhantom unique is its use of virtualization, breaking Android's sandbox protections. This allows the malware to access sensitive data without requiring root access, injecting code into applications discreetly.

???? How It Works: The malware loads a virtual container with a malicious module and the target bank's legitimate app. It alters key APIs to grab sensitive information programmatically, avoiding detection.

????️ Protection Measures: Google emphasises that Google Play Protect warns or blocks malicious apps, providing a layer of defence against FjordPhantom.

???? Modular Threat: FjordPhantom adapts its attacks based on the embedded banking app, making it a versatile threat targeting various banking apps.

???? Stay Secure: Be cautious with app downloads, even outside Google Play. Stay informed about emerging threats to protect your devices! ????????

????️ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Libby Copa: The Rebel Newsletter helps writers strengthen their writing and creative practice, navigate the publishing world, and turn their art into an act of rebellion.

  • Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles