Raccoon Stealer was one of the most prolific information stealers in 2021, being used by multiple cybercriminal actors. Due to its wide stealing capabilities, the customizability of the malware and its ease of use, Raccoon Stealer was highly popular among threat actors. The malware was mainly distributed using fake installers, or as cracked versions of popular software.
Previously sold as a malware-as-a-service on underground forums since early 2019, its operations suddenly stopped on March 25, 2022. This abrupt shutdown was purportedly due to the loss of a developer of the project Raccoon Stealer during the “special operation”, likely in reference to the Russian conflict in Ukraine. At the time, the raccoonstealer profile stated on several forums they “don’t say goodbye forever”, and that they were already working on a second version.
Figure 1. Raccoonstealer’s statement on the shutdown of the Raccoon Stealer project on the XSS forum
SEKOIA.IO kept a close eye on activities related to Raccoon Stealer as it is assessed to make a strong comeback in the information stealer market.
We have reverse-engineered the new version of Raccoon Stealer and our in-depth analysis is available in part 2 at: https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/.
First signs of life
On June 10, 2022, while searching for stealers’ administration panels on the Shodan search engine, SEKOIA.IO analysts stumbled upon active servers hosting a web page named “Raccoon Stealer 2.0”.
Figure 2. Server hosting a web page named “Raccoon Stealer 2.0” on Shodan
After analysis of the files on the server, we could assert with high confidence that these servers belong to the Raccoon Stealer infrastructure. Indeed several technical artefacts suggest that this panel is linked to the malware:
- the HTTP title:
Raccoon Stealer 2.0;
- the issued domain in the SSL certificates:
Based on this information, we came across raccoonstealer‘s publications on the underground forum Exploit and their Telegram channel confirming that a first release of Raccoon Stealer v2 is sold on Telegram since May 17.
Figure 3. Publication in the raccoonstealer’s Telegram channel advertising the malware
However, we were not able to find malware samples distributed in the wild at the time.
Samples in the wild
On June 16, 2022, S2W published a comprehensive analysis1 of the new version of Raccoon Stealer. Based on a file created by the malware (System Info.txt), they attributed payloads distributed in the wild to the Raccoon Stealer V2. This file contains information about the victim’s system.
The sample analysed by S2W matches a newly discovered malware family discussed on Twitter by cybersecurity researchers, which was later named RecordBreaker by @James_inthe_box (related tweet). Raccoon Stealer v2 and RecordBreaker could be two different names for the same malware family.
Samples of Raccoon Stealer v2 were therefore observed in the wild since May 16, 2022. As for the previous version, threat actors mainly distribute the information stealer using fake installers, or cracked versions of popular software. Here are a few samples faking legitimate software installers:
- F‑Secure FREEDOME VPN installer (F-Secure Freedome VPN 126.96.36.199.licensesrv.exe_KaHCr.exe);
- R-Studio Network installer (R-Studio.v9.0.190312.licencekey.exe_v3G9m.exe);
- Proton VPN installer (ProtonVPN.exe).
Malware sample attribution
In order to confirm that the sample analysed by S2W corresponds to a Raccoon Stealer v2 sample, we compared the content of raccoonstealer‘s publications on their Telegram channel with our technical analysis of the stealer.
The publications advertising Raccoon Stealer v2 are promoted by its developers to the user community. The authors are therefore focused on the user experience of attackers (performances, log processing, integrity, etc.) which can be embellished. However, raccoonstealer shared technical features of their malware. In the following table, we have listed these descriptions to compare with our observations during analysis.
|Descriptions from the raccoonstealer‘s Telegram||SEKOIA.IO‘s commentary|
|“the styler is written in C/C++”||Based on the samples analysis, we observed the malware code written in C/C++ and a bit of ASM.|
|“Raccoon collects: passwords, cookies and autocomplete from all popular browsers (including FireFox x64), CC data”||By default (a specific configuration is not needed), the malware samples collect data from browsers SQL databases.|
|“Raccoon collects system information”||The malware fingerprints the infected system using Windows Registry queries and other WinApi functions (e.g. RAM, CPU, display, installed softwares).|
|“almost all existing desktop cryptocurrency wallets”||It is confirmed by the malware configuration which embeds many cryptocurrency wallets browser extensions and Desktop apps. The configuration can be customized to collect data from other wallets, just by setting the path and the targeted file.|
|“Built-in file downloader”||The malware implements its own directory listening function to grab files.|
|“Works on both 32 and 64-bit systems without dependencies on .NET.”||The malware doesn’t need any dependencies, it rather downloads 8 DLLs once executed.|
|“Private key, gate address and all other string values are heavily encrypted.”||C2 address(es) and strings are encrypted using (RC4 and Base64), not heavily, perhaps raccoonstealer used this term for marketing? Does the private key correspond to the RC4 key, stored in the .rdata section?|
|“HTTP for sending to handlers and file servers are encrypted.”||We didn’t observed any encryption of exfiltrated data.|
|“Screenshot, system info, each browser profile is sent separately. Each wallet – sent separately”||Quite discriminating, the malware sends data each time it collects a new one: the system information, the browsers data, the wallets data (for each wallet extension/desktop found) and the screenshot.|
|“Reworked file grabber (…) going through all disks including usb with search depth”||The malware implements its own directory listening function to grab files.|
|“The weight of the executable file of the Stiller is only 50 KB”||All stand-alone observed samples are 55KB or 56KB.|
|“We also redesigned the loader. You can now choose where to install the file (Low, Temp, AppData). CMD/DLL/EXE”||Two ways to execute a payload are implemented in the malware, but we only took a look at the downloaded PE execution function.|
Figure 4. Comparative table of features shared by raccoonstealer and the SEKOIA.IO’s analysis
Almost all the capabilities or technical details advertised by raccoonstealer, correspond to those observed during our malware analysis. Some properties of the malware are quite generic (collecting browser data and system information, capturing screenshot, encrypting the C2 address and strings) among the information stealing malware family, but others are rather specific and validate the attribution to Raccoon (sending data separately, the built-in file downloader, the file grabber going through all disks, and the specific loader).
It is worth mentioning that the authors announce that Raccoon Stealer v2 exfiltrate encrypted data , but we didn’t observe any encryption or obfuscation in C2 communications during our analysis. This seems to be the only point that differs between the raccoonstealer‘s advertising and our observations. However, it should not be forgotten that their goal is to market the malware, and they might overuse some expressions to do so. Indeed, we have already seen such discrepancies on the MarsTeam‘s publications about Mars Stealer on the XSS forum2.
In addition, the date of appearance of the first samples matches that of the aforementioned “Raccoon Stealer 2.0” servers, as well as the date of the publication of raccoonstealer in their Telegram channel (arround May 17, 2022).
In the raccoonstealer‘s Telegram channel, the new version of the malware has been advertised with an improved software, back-end and front-end. Raccoon Stealer’s developers rewrote the malware and the administration panel from scratch, with a focus on performance and efficiency. In the next part, SEKOIA.IO analysed the malware and its communication in depth.
Raccoon Stealer’s capabilities are those of a classic stealer, with a focus on cryptocurrency wallets. The malware is also advertised as a loader and a file grabber.
Here is an overview of its capabilities:
- Targeting of popular browsers (to steal passwords, cookies, autoforms and credit cards);
- Targeting of almost all desktop cryptocurrency wallets and extension for cryptocurrency wallets (MetaMask, TronLink, BinanceChain, Ronin, Exodus, Atomic, JaxxLiberty, Binance, Coinomi, Electrum, Electrum-LTC, ElectronCash, etc.);
- File downloading;
- File loading (cmd, dll, exe);
- File grabbing in all disks;
- Screenshot capturing;
- System fingerprinting;
- Installed applications listing.
The capabilities advertised on Telegram match those identified during our analysis.
Raccoon Stealer v2 is written in C/C++ using WinApi. Sample size is around 56KB, working on both 32 and 64-bit systems without any dependencies. The malware downloads legitimate third-party DLLs from its C2 server(s). The C2 configuration and strings are encrypted using RC4 and Base64 encoding.
SEKOIA.IO reverse engineered the malware and will soon publish an in-depth analysis to share further details.
In the meantime, here is a description of the step-by-step execution of Raccoon Stealer v2:
- Dynamic Loading of DLLs;
- Run-Time Dynamic Linking of WinApi functions;
- Strings deobfuscation (base64 decoding and RC4 decryption);
- C2 server(s) deobfuscation;
- Checks (mutex, user privileges);
- Host fingerprint (MachineGuid, Username) and data exfiltration;
- Retrieving its configuration from its C2;
- Downloading, then loading the legitimate third-party DLLs;
- Fingerprint the infected host (CPU, RAM, OS version, Display info) and send this data to the C2;
- Collecting personal information and exfiltrating it (system information, browsers, crypto wallets);
- Capturing a screenshot and exfiltrating it;
- Removal of files created by the malware.
Interestingly, during the collection stage, the malware collects the data and sends it directly in a file via a POST request to the C2 server. It repeats this step for each new type of data (system information, cookies, screenshot, etc.).
It is worth noting that the malware implements almost no defense evasion techniques, such as anti-analysis, obfuscation, or impair defenses.
The malware first sends a POST request to its C2 server with the machineId, username and configurationId (which corresponds to the RC4 key). The server replies with the full malware configuration including, as shown in the following figure:
- Applications to target;
- URLs hosting the legitimate third-party DLLs;
- Token used for data extraction (corresponds to the C2’s endpoint);
- File grabber configuration, etc.
Figure 5. Network capture of the communication initiated by the malware on the infected machine and its C2 server
Raccoon Stealer v2 then downloads every DLLs, which are sometimes hosted on another server.
Finally, it exfiltrates data by sending POST requests to its C2 server. The URLs used by the malware are built using the token received in the configuration.
Figure 6. Overview of Raccoon Stealer v2 communications
To conclude, we expect a resurgence of Raccoon Stealer v2, as developers implemented a version tailored to the needs of cybercriminals (efficiency, performance, stealing capabilities, etc.) and scaled their backbone servers to handle large loads. In addition, the malware benefits of the threat actors’ popularity gained in recent years.
We can assess with high confidence that possible future updates will implement more anti-analysis techniques to avoid detection by antiviruses.
MITRE ATT&CK TTPs
|Defense Evasion||T1140 – Deobfuscate/Decode Files or Information||Raccoon Stealer v2 decodes strings and the C2 configuration in the malware using RC4 and base64.|
|Defense Evasion||T1027 – Obfuscated Files or Information||Raccoon Stealer v2 uses RC4-encrypted strings.|
|Credential Access||T1539 – Steal Web Session Cookie||Raccoon Stealer v2 harvests cookies from popular browsers.|
|Credential Access||T1555.003 – Credentials from Password Stores: Credentials from Web Browsers||Raccoon Stealer v2 collects passwords from popular browsers.|
|Discovery||T1083 – File and Directory Discovery||Raccoon Stealer v2 lists files and directories to grab files through all disks.|
|Discovery||T1057 – Process Discovery||Raccoon Stealer v2 lists the current running processes on the system.|
|Discovery||T1012 – Query Registry||Raccoon Stealer v2 queries the Windows Registry key at HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid to retrieve the MachineGuid value.|
|Discovery||T1518 – Software Discovery||Raccoon Stealer v2 lists all installed software for the infected machine, by querying the Windows Registry key at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\uninstall|
|Discovery||T1082 – System Information Discovery||Raccoon Stealer v2 collects OS version, host architecture, CPU information, RAM capacity and display device information.|
|Discovery||T1614 – System Time Discovery||Raccoon Stealer v2 collects the time zone information from the system.|
|Collection||T1119 – Automated Collection||Raccoon Stealer v2 scans the disks and automatically collects files.|
|Collection||T1005 – Data from Local System||Raccoon Stealer v2 collects credentials of cryptocurrency wallets from the local system.|
|Collection||T1113 – Screen Capture||Raccoon Stealer v2 captures a screenshot of the victim’s desktop.|
|Command and Control||T1071.001 – Application Layer Protocol: Web Protocols||Raccoon Stealer v2 uses HTTP for C2 communications.|
|Command and Control||T1041 – Exfiltration Over C2 Channel||Raccoon Stealer v2 exfiltrates data over the C2 channel.|
|Command and Control||T1105 – Ingress Tool Transfer||Raccoon Stealer v2 downloads legitimate third-party DLLs for data collection onto compromised hosts.|
|Execution||T1106 – Native API||Raccoon Stealer v2 has the ability to launch files using ShellExecuteW.|
|Defense Evasion||T1055.001 – Process Injection: Dynamic-link Library Injection||Raccoon Stealer v2 has the ability to load DLLs via LoadLibraryW and GetProcAddress.|
|Defense Evasion||T1407 – Download New Code at Runtime||Raccoon Stealer v2 downloads its next stage from a remote host.|
IOCs & Technical Details
Raccoon Stealer v2’s C2 servers
Raccoon Stealer v2’s SHA-256
Raccoon Stealer’s C2 servers hosting administration panel
More IoCs are available on the SEKOIA.IO Community Github: https://github.com/SEKOIA-IO/Community/blob/main/IOCs/raccoonstealer/raccoon_stealer_iocs_20220628.csv
Thank you for reading this article. You can also read our article on: BumbleBee: a new trendy loader for Initial Access Brokers.
Chat with our team!
Would you like to know more about our solutions? Do you want to discover our XDR and CTI products? Do you have a cybersecurity project in your organization? Make an appointment and meet us!