Raccoon Stealer Bundles Malware, Propagates Via Google SEO

An update to the stealer-as-a-service platform hides in pirated software, pilfers crypto-coins and installs a software dropper for downloads of more malware.

Criminals behind the Raccoon Stealer platform have updated their services to include tools for siphoning cryptocurrency from a target’s computer and new remote access features for dropping malware and scooping up files.

The stealer-as-a-service platform, whose customers are typically rookie hackers, offers turnkey services for pilfering browser-stored passwords and authentication cookies. According to new research from Sophos Labs published Tuesday, the platform has received a noteworthy update that includes new tools and distribution networks to boost infected targets.

For starters, Raccoon Stealer has pivoted from inbox-based infections to ones that leverage Google Search. According to Sophos, threat actors have been proficient in their optimization of malicious web pages to rank high in Google search results. The bait to lure victims in this campaign is software pirating tools such as programs to “crack” licensed software for illicit use or “keygen” programs that promise to generate registration keys to unlock licensed software.

“While the sites advertised themselves as a repository of ‘cracked’ legitimate software packages, the files delivered were actually disguised droppers. Clicking on the links to a download connected to a set of redirector JavaScripts hosted on Amazon Web Services that shunt victims to one of multiple download locations, delivering different versions of the dropper,” wrote Yusuf Polat and Sean Gallagher, both senior threat researchers at Sophos, who authored the report.

Raccoon Learns New Tricks Delivers New Misery

What is unique about Raccoon Stealer is that, unlike other info-stealer services and malware targeting individuals via inboxes, the campaign Sophos tracked is distributed via malicious websites.

Researchers said that victims falling for the ploy download a first-stage payload of an archive. The archive contains another password-protected archive and a text document containing a password used later in the infection chain. “The archive containing the ‘setup’ executable is password-protected to evade malware scanning,” they wrote.

Eventually, opening the executable delivers self-extracting installers. “They have signatures associated with self-extracting archives from tools such as 7zip or Winzip SFX, but cannot be unpacked by these tools. Either the signatures have been faked, or the headers of the files have been manipulated by the actors behind the droppers to prevent unpacking without execution,” Sophos wrote.

Sophos said malware delivered to the victim can include:

  • Crypto-miners
  • “Clippers” (malware which steal cryptocurrencies by modifying the victim’s system clipboard during transactions and changing the destination wallet)
  • Malicious browser extensions
  • YouTube click-fraud bots
  • Djvu/Stop (a ransomware targeted primarily at home users)

Infrastructure of a Stealer-as-a-Service Platform

As for management of infected systems, Sophos said threat actors use the secure messaging platform Telegram and further obfuscate communications using a RC4 encryption key to cloak the configuration IDs associated with the Raccoon “customer”.

“Using the hard-coded RC4 key, Raccoon decrypts the message in the description for the channel—which contains the address for a command and control (C2) ‘gate.’  This is not a straightforward decryption process – a portion of the resulting string is trimmed from both the start and end of the channel description, and then the code decrypts the text with RC4 to obtain the C2 gate address,” they wrote.

Raccoon operators connect to the gate to communicate with the C2. Criminals go on a scavenger hunt, pilfering anything of value – from browser-based data and cryptocurrency wallets – and use the C2 for exfiltration. At the same time, the C2 is used to download SilentXMRMiner, written in Visual Basic .NET and obfuscated with Crypto Obfuscato while running.

A second-stage payload delivered from the Raccoon Stealer has included 18 malware samples since October 2020, according to Sophos. The most recent is malicious software targeting cryptocurrency transactions (aka clipper malware) called QuilClipper.

“While analyzing similar samples to .Net loader and clipper on Virustotal, we found more samples hosted on the domain bbhmnn778[.]fun,” wrote researchers. “Some of the .NET loaders were Raccoon Stealer, and both the QuilClipper and Raccoon samples use the Raccoon Telegram channel we found in our initial Raccoon sample: telete[.]in/jbitchsucks. Investigating these files and searching on their filenames, we found a YouTube channel that promotes Raccoon Stealer and QuilClipper.”

Raccoon Economics: ‘Attractive’ Therefore ‘Pernicious’

A study of the Raccoon Stealer infrastructure revealed 60 subdomains under the domain xsph[.]ru, with 21 recently active and registered through the Russian hosting provider SprintHost[.]ru.

“This Raccoon Stealer campaign is indicative of how industrialized criminal activity has become,” Polat and Gallagher wrote. They said that threat actors increasingly use a collection of paid services, such as a dropper-as-a-service, to deploy Raccoon and a malware hosting-as-a-service.

The criminals behind this Raccoon campaign were able to deploy malware, steal cookies and credentials and sell those stolen credentials on criminal marketplaces to steal approximately $13,200 US worth of cryptocurrency, and to use the compute resources of victims to mine another $2,900 in cryptocurrency over a six-month period, Sophos estimates. Cost to run the criminal enterprise is estimated at $1,250.

“It’s these kinds of economics that make this type of cybercrime so attractive – and pernicious,” Sophos wrote.

Threatpost Webinar Series Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

Suggested articles