Raccoon Stealer: The ‘Malware-as-a-Service’ (MaaS) Information Stealer’s Current Surge

Raccoon Stealer is an information stealer that, as its name suggests, steals user credentials and data stored in web browsers, mail applications, cryptocurrency wallets and Discord files


Non-technical Summary
User specific data stored in most commonly used web browsers is what Raccoon Stealer goes after. This includes cookies and all user credentials (login ids and passwords) saved on browsers, including cryptocurrency wallets. This malware is usually delivered through a document via spam mail which contains a macro. When the macro runs, it installs the malware. Communication is established with a specified malicious website and the malware collects data from the infected system and sends it to that specified website.

About the Threat

Raccoon Stealer was first observed in 2019 and is believed to originate in Russia. Openly advertised as a ‘Malware-as-a-Service’ (MaaS) on the dark web, it is well known in cybercriminal circles. It is also one of the most well administered and managed malware service.

Right from the different usage plans / subscriptions offered for sale, to its ‘customer’ service practices, it is efficiently managed as a well-run commercial venture. Its creators regularly update its features, offer trial periods and add-on services to the main infostealer. Each unit sold has a unique signature that can be traced and tracked by the creators.


This malware is initially dropped by an email through a macro in an attached document. Sometimes the Threat Actor may use another malware to deliver the payload. In some cases, it is also delivered when a victim downloads a cracked version of a software from dubious sources.

Security Analysts at SecneurX have observed a surge in Racoon Strealer in the wild in the last 3 months. It was very active during October – December 2021, as shown in the below chart. Over 1500 Raccoon Stealer samples were collected and analyzed during this period.



Chart 1: Surge in Raccoon Malware activity observed in SecneurX Research Lab


A notable observation during this surge is that Racoon Stealer is delivered as a payload using other malwares which already exist in the system. In the case of the sample described in this blog, the Racoon Stealer executable was dropped by other malwares which had already infiltrated the system. This sample of Racoon Stealer communicates with a Telegram profile to acquire the Control and Command URL which is in the form of an IP address.


The payload is then installed in a series of steps. All communication to and from the infected system is encrypted. Once fully installed, the malware collects its target data and exfiltrates it to the C2.


Some of the information that Raccoon Stealer gathers and exfiltrates are

  • System information of the affected system

  • Auto-fill credentials stored in web-browsers

  • Cryptocurrency wallets

  • Cookies

  • Web browser history


On completion of its objective, the malware comes with the option of auto-deleting itself and eliminating all traces of its actions.

SecneurX's Analysis of the Modus Operandi


Security Analysts at SecneurX studied the artifact - SHA256,

312f192e3506150ed6b6985f0c633708eca2cb1964d189a6fc1a05e096af415d


This is a .exe sample of the malware and is usually dropped from an infected document when the macros are enabled. Once run, the following actions take place.


Step 1: Acquire C2 Address


The dropped .exe file is executed by the malware and first communicates the following request: [ GET ] hxxp://telegalive[.]top/jdiamond13


In this request, hxxp://telegalive[.]top is the C2 and jdiamond13 is the Telegram user ID.

The response to the above request is shown in Figure 1 below.


Figure 1: Response from C2


The malicious domain, created by the malware authors, returns a Telegram profile of the URL (as show-in Figure 2 below). Raccoon Stealer then copies the value of the ‘content’ field highlighted in Figure 1 - “e2559fV46cjQG7j8UeXHTRGF49yaP1BIuc0-v54” from the Telegram page. It then trims a few characters from this value to get the actual data - fV46cjQG7j8UeXHTRGF49yaP1BIuc”. This is a RC4 encrypted C2 address.



Figure 2: Recreating the response and the encrypted C2 address in Telegram profile page



The malware then decrypts the above string using an embedded hardcoded key. This reveals the URL of C2 which is hxxp://91[.]219[.]236[.]49/, shown in Figure 3 below.



Figure 3: Decoding the encrypted C2 address



Step 2: Communication with C2 and download of configuration data


Using the retrieved IP address, it connects to C2 to post the unique victim ID and download the configuration data.


[ POST ] hxxp://91[.]219[.]236[.]49/

Figure 4: Communication with the C2


The encrypted unique victim ID is decrypted as shown in Figure 5.



Figure 5: Decoding the Communication with the C2





Figure 6: Decoding the Communication with the C2



Step 3: Download of Data Extraction Modules


It then downloads the data extraction module and additional modules for dependency through the following requests -

[ GET ] hxxp://91[.]219[.]236[.]49//l/f/x52vxXwB3dP17SpzzQGD/f66df01ec20c0cf373071d4d6494de1445530c2e


[ GET ] hxxp://91[.]219[.]236[.]49//l/f/x52vxXwB3dP17SpzzQGD/1f8a5bbeae4cfc7c9cb8071759d16e938f15d0d0



Figure 7: Downloading Modules for Data Extraction



Figure 8: Downloading additional modules in zip



Figure 9: Content of the Zip file



Step 4: Data Exfiltration


Once the victim’s credentials are extracted, the malware creates a Zip file and stores the information there. This file is then sent to the threat actor’s C2



Figure 10: Data Exfiltration



Figure 11: Contents of the Zip file


Indicators of Compromise


Behaviour reports ( click to access our reports in VirusTotal)

84ba0bb68b99db2b6fb6f489204e7874069a736cd893182768d918a8bf71485b

07ecda3e0fc06383ae2428e6dcd3eaff70f935e8a4befd9150d24ab206c75765

312f192e3506150ed6b6985f0c633708eca2cb1964d189a6fc1a05e096af415d

0bc1a8cdf1c963118f4d1d31c14175e6aad0bfa2fb38d431d8578602f39c323b

7ef4032bc1fdf66c5db2b7ec6c700061f9fc2a2678344f8f141eb798ab9321c3


Domain IOC


telegalive.top

telegatt.top

telegin.top

telegka.top

teleliver.top

telemirror.top

teleta.top

telete.in

teletele.top

teletop.top

toptelete.top

ttmirror.top



IOC of Telegram profile managed by the threat actor


agrybirdsgamerept

ararius809b

baldandbankrupt1

baudemars

bern33ster

bghost13

bimboDinotrex

brikitiki

capibar

ch0koalpengold

dodgeneontwinturbo

duglassa1

elonstack12

erndxesto

frombobu98s

fsp1boomgasio

h_electricryptors2

h_ghaibin2_1

hapikmalabar

hbackwoods1

hdmiprapor

hellobyegain

hiioBlacklight1

hoverpattern31

indosgigabitbet

iolitena111

jabbahatt121

jagressor_kz

jamesonkamerun

jdiamond13

jiiDante

johnyes13

0 views0 comments