Raccoon stealer spreads malware through Google SEO

by | August 4, 2021 | Cybersecurity News

Raccoon Stealer’s services have been updated to include tools for siphoning cryptocurrency from a target’s device, as well as additional remote access features for dropping malware and stealing files. In addition, the stealer-as-a-service platform, whose customers are mainly amateur hackers, provides turnkey services for stealing passwords and authentication cookies saved in browsers.

According to recent research published Tuesday by Sophos Labs, the platform has gotten a significant update that includes new capabilities and distribution networks to help infected targets grow. For starters, Raccoon Stealer has switched from inbox-based infections to Google Search-based infections. Threat actors, according to Sophos, have mastered the art of optimizing malicious web pages to rank high in Google search results.

Software piracy tools, such as applications that “crack” licensed software for illegal use or “keygen” programs that promise to generate registration keys to unlock licensed software, are used to attract victims in this campaign.

Yusuf Polat and Sean Gallagher, both senior threat researchers at Sophos, noted in the report that:

“While the sites advertised themselves as a repository of ‘cracked’ legitimate software packages, the files delivered were actually disguised droppers. Clicking on the links to a download connected to a set of redirector JavaScripts hosted on Amazon Web Services that shunt victims to one of multiple download locations, delivering different versions of the dropper.”

Raccoon Stealer learns new tricks and brings new misery

According to Sophos, unlike other information-stealer services and malware that target individuals via inboxes, Raccoon Stealer is transmitted through malicious websites.

According to the researchers, those who fall for the ploy download the first-stage payload of an archive. Then, another password-protected archive and a text document containing a password required later in the infection chain are included in the archive: “The archive containing the ‘setup’ executable is password-protected to evade malware scanning,” they noted.

When you open the program, you’ll get self-extracting installers. “They have signatures associated with self-extracting archives from tools such as 7zip or Winzip SFX but cannot be unpacked by these tools. So either the signatures have been faked, or the headers of the files have been manipulated by the actors behind the droppers to prevent unpacking without execution,” explained Sophos.

The archive containing the “setup” executable is password-protected to evade malware scanning.

According to Sophos, malware that can be delivered to a target includes:

  • Crypto-miners
  • Malicious browser extensions
  • YouTube click-fraud bots
  • Djvu/Stop (a ransomware targeted primarily at home users)
  • “Clippers” (malware which steal cryptocurrencies by modifying the victim’s system clipboard during transactions and changing the destination wallet)

The structure of a Stealer-as-a-Service system

Additionally, threat actors use the secure chat platform Telegram to administer infected devices, according to Sophos, and further obscure communications using an RC4 encryption key to mask the configuration IDs connected with the Raccoon “customer.”

“Using the hard-coded RC4 key, Raccoon decrypts the message in the description for the channel—which contains the address for a command and control (C2) ‘gate.’  This is not a straightforward decryption process – a portion of the resulting string is trimmed from both the start and end of the channel description and then the code decrypts the text with RC4 to obtain the C2 gate address,” the researchers explained.

To communicate with the C2, raccoon operators link to the gate. Criminals go on a scavenger quest for everything valuable, including browser-based data and cryptocurrency wallets, and then use the C2 to exfiltrate it. Simultaneously, the C2 is used to download and run SilentXMRMiner, coded in Visual Basic.NET and encrypted with Crypto Obfuscator.

According to Sophos, a second-stage payload delivered by the Raccoon Stealer has comprised 18 malware strains since October 2020. QuilClipper, malicious software that targets bitcoin transactions (also known as clipper malware) is the most current example.

“While analyzing similar samples to .Net loader and clipper on Virustotal, we found more samples hosted on the domain bbhmnn778[.]fun,” wrote researchers. “Some of the .NET loaders were Raccoon Stealer, and both the QuilClipper and Raccoon samples use the Raccoon Telegram channel we found in our initial Raccoon sample: telete[.]in/jbitchsucks. Investigating these files and searching on their filenames, we found a YouTube channel that promotes Raccoon Stealer and QuilClipper.

Raccoon Economics: Attractiveness Equals Perniciousness

According to a review of the Raccoon Stealer infrastructure, there are 60 subdomains under the domain xsph[.]ru, 21 of which are now operational and registered with the Russian hosting provider SprintHost[.]ru.

Polat and Gallagher wrote that: “This Raccoon Stealer campaign is indicative of how industrialized criminal activity has become.” Threat actors are increasingly using a variety of commercial services, such as a dropper-as-a-service and malware hosting-as-a-service, to distribute Raccoon, according to the researchers.

Over a six-month period, the criminals behind the Raccoon campaign were able to deploy malware, steal cookies and credentials, and sell those stolen credentials on criminal marketplaces to steal approximately $13,200 in cryptocurrency, as well as mine another $2,900 in cryptocurrency using the victims’ computing resources, according to Sophos.

“It’s these kinds of economics that make this type of cybercrime so attractive – and pernicious,” noted Sophos.

“It’s these kinds of economics that make this type of cybercrime so attractive – and pernicious,” noted Sophos.



Feature Image: Photo by Vincent Dörig on Unsplash

by Andreea Popa

Content writer for Attack Simulator, delivering your daily dose of awareness for cyber security! Love to write passionately about any subject and my mainly inspiration are people's stories. You can also find me on social media, for some more friendly things!

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.