An update to the stealer-as-a-service platform hides in pirated software, steals crypto-coins & installs a software dropper for downloads of more malware.
Criminals behind the Raccoon Stealer platform have updated their services to include tools for taking cryptocurrency from a target’s computer & new remote access features for dropping malware & sweeping up files.
The stealer-as-a-service platform, whose customers are typically newbie hackers, offers ‘turnkey services’ for stealing browser-stored passwords & authentication cookies. Explains new research from Sophos Labs published Tues., the platform has received an update that includes new tools & distribution networks to boost infected targets.
Raccoon Stealer has moved from inbox-based infections to ones that use Google Search. According to Sophos, threat players have been capable in their optimisation of malicious web pages to rank high in Google search results.
The ‘bait’ to lure victims in this campaign is software pirating tools such as programs to “crack” licensed software for illegal use or “keygen” programs that promise to generate registration keys to unlock licensed software.
“While the sites advertised themselves as a repository of ‘cracked’ legitimate software packages, the files delivered were actually disguised droppers.
Clicking on the links to a download connected to a set of redirector Java Scripts hosted on Amazon Web Services that shunt victims to 1 of multiple download locations, delivering different versions of the dropper,” wrote Yusuf Polat & Sean Gallagher, both Senior Threat Researchers at Sophos, who produced the report.
Raccoon Learns New Tricks
What is unique about Raccoon Stealer is that, unlike other info-stealer services & malware targeting individuals via inboxes, the campaign Sophos tracked is distributed via malicious websites.
Researchers stated that victims falling for the scam download a 1st-stage payload of an archive. The archive contains another password-protected archive & a text document containing a password used later in the infection. “The archive containing the ‘setup’ executable is password-protected to evade malware scanning,” they wrote.
Eventually, opening the executable delivers self-extracting installers. “They have signatures associated with self-extracting archives from tools such as 7zip or WinZip SFX but cannot be unpacked by these tools. Either the signatures have been faked, or the headers of the files have been manipulated by the actors behind the droppers to prevent unpacking without execution,” Sophos wrote.
Sophos explained that malware delivered to the victim can include:
- Crypto miners
- “Clippers” (malware which steal cryptocurrencies by modifying the victim’s system clipboard during transactions & changing the destination wallet)
- Malicious browser extensions
- YouTube click-fraud bots
- Djvu/Stop (a ransomware targeted primarily at home users)
Regarding management of infected systems, Sophos stated threat players use the secure messaging platform Telegram & further hide communications using a RC4 encryption key to cloak the configuration IDs associated with the Raccoon “customer”.
“Using the hard-coded RC4 key, Raccoon decrypts the message in the description for the channel—which contains the address for a command & control (C2) ‘gate.’
This is not a straightforward decryption process – a portion of the resulting string is trimmed from both the start & end of the channel description, & then the code decrypts the text with RC4 to obtain the C2 gate address,” they wrote.
Raccoon operators connect to the gate to communicate with the C2. Criminals go on a scavenger hunt, pilfering anything of value – from browser-based data & cryptocurrency wallets – & use the C2 for exfiltration. Simultaneously, the C2 is used to download SilentXMRMiner, written in Visual Basic .NET & hidden with Crypto Obfuscato while running.
A 2nd-stage payload delivered from the Raccoon Stealer has included 18 malware samples since Oct. 2020, according to Sophos. The newest is malicious software targeting crypto-currency transactions (aka clipper malware) called Quil Clipper.
“While analysing similar samples to .Net loader & clipper on Virustotal, we found more samples hosted on the domain bbhmnn778[.]fun,” wrote researchers. “Some of the .NET loaders were Raccoon Stealer, & both the Quil Clipper & Raccoon samples use the Raccoon Telegram channel we found in our initial Raccoon sample: telete[.]in/jbitchsucks. Investigating these files & searching on their filenames, we found a YouTube channel that promotes Raccoon Stealer and Quil Clipper.”
‘Attractive’ & ‘Pernicious’
A study of the Raccoon Stealer infrastructure revealed 60 sub-domains under the domain xsph[.]ru, with 21 recently active & registered through the Russian hosting provider SprintHost[.]ru.
“This Raccoon Stealer campaign is indicative of how industrialised criminal activity has become,” Polat & Gallagher wrote. They explained that threat players increasingly use a collection of paid services, such as a dropper-as-a-service, to utilise Raccoon & a malware hosting-as-a-service.
The criminals behind this Raccoon campaign were able to use malware, steal cookies & credentials & sell those stolen credentials on criminal marketplaces to steal roughly $13,200 US worth of crypto-currency, & to use the computer resources of victims to mine another $2,900 in crypto-currency over a 6-month period, Sophos estimates.
Cost to run the criminal enterprise is estimated at $1,250.
“It’s these kinds of economics that make this type of cybercrime so attractive – & pernicious,” Sophos concluded.