Raccoon Stealer Crawls Into Telegram

The credential-stealing trash panda is using the chat app to store and update C2 addresses as crooks find creative new ways to distribute the malware.

A credential stealer that first rose to popularity a couple of years ago is now abusing Telegram for command-and-control (C2). A range of cybercriminals continue to widen its attack surface through creative distribution means like this, researchers have reported.

Raccoon Stealer, which first appeared on the scene in April 2019, has added the ability to store and update its own actual C2 addresses on Telegram’s infrastructure, according to a blog post published by Avast Threat Labs this week. This gives them a “convenient and reliable” command center on the platform that they can update on the fly, researchers said.

The malware – believed to be developed and maintained by Russia-affiliated cybercriminals – is at its core a credential stealer but is capable of a range of nefarious activity. It can steal not only passwords but also cookies, saved logins and forms data from browsers, login credentials from email clients and messengers, files from crypto wallets, data from browser plugins and extensions, and arbitrary files, based on commands from its C2.

Infosec Insiders Newsletter

“In addition, it’s able to download and execute arbitrary files by command from its C2,” Avast Threat Labs researcher Vladimir Martyanov wrote in the post. This, in combination with active development and promotion on underground forums, makes Raccoon Stealer “prevalent and dangerous,” he said.

Upon its release in 2019, cybercriminals quickly adopted the malware because of its user-friendly malware-as-a-service (MaaS) model, which has given them a quick and easy way to make money by stealing sensitive data.

Creative Distribution

Early on, attackers were seen delivering Raccoon Stealer via an .IMG file hosted on a hacker-controlled Dropbox account in business email compromise (BEC) campaigns that targeted financial institutions and other organizations.

More recently, Avast Threat Labs researchers observed a number of new and creative ways attackers are distributing Raccoon Stealer, Martyanov said.

“Taking into account that Raccoon Stealer is for sale, its distribution techniques are limited only by the imagination of the end buyers,” he wrote.

In addition to being spread by two loaders – Buer Loader and GCleaner – attackers also are distributing Raccoon Stealer via fake game cheats, patches for cracked software – including hacks and mods for Fortnite, Valorant and NBA2K22 – or other software, Martyanov wrote.

Cybercriminals also are taking care to try to evade detection by packing the credential stealer, using Themida or malware packers, with some samples observed being packed more than five times in a row with the same packer, he added.

Abusing C2 in Telegram

The report detailed how the latest version of Raccoon Stealer communicates with C2 within Telegram: There are four “crucial” values for its C2 communication, which are hardcoded in every Raccoon Stealer sample, according to the post. They are:

  • -MAIN_KEY, which has been changed four times during the year;
  • -URLs of Telegram gates with a channel name;
  • -BotID, a hexadecimal string, sent to the C2 every time; and
  • -TELEGRAM_KEY, a key to decrypt the C2 address obtained from Telegram Gate.

To hijack Telegram for its C2, the malware first decrypts MAIN_KEY, which it uses to decrypt Telegram gates URLs and BotID. The stealer then uses Telegram gate to get to its real C2 using a string of queries that eventually allow it to use the Telegram infrastructure to store and update actual C2 addresses, Martyanov wrote.

By downloading and executing arbitrary files from a command from C2, the stealer also is able to distribute malware. Avast Threat Labs collected about 185 files, with a total size of 265 megabytes – including downloaders, clipboard crypto stealers and the WhiteBlackCrypt ransomware – that were being distributed by Raccoon Stealer.

Avoiding Russian Entities

Once executed, Racoon Stealer starts checking for the default user locale set on the infected device and won’t work if it’s one of the following: Russian, Ukrainian, Belarusian, Kazakh, Kyrgyz, Armenian, Tajik or Uzbek. This is likely because the developers themselves are Russian, researchers believe.

However, Avast Threat Labs found that in recent activity, “the country where we have blocked the most attempts is Russia, which is interesting because the actors behind the malware don’t want to infect computers in Russia or Central Asia,” Martyanov wrote.

This could be because “the attacks spray and pray, distributing the malware around the world,” he noted. The malware doesn’t check for the location of the user until it actually reaches a device; if it finds that the device is located in a region developers don’t want to target, it won’t run.

“This explains why we detected so many attack attempts in Russia; we block the malware before it can run, i.e. before it can even get to the stage where it checks for the device’s locale,” Martyanov wrote. “If an unprotected device that comes across the malware with its locale set to English or any other language that is not on the exception list but is in Russia, it would still become infected.”

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.

Suggested articles