What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Aug 17, 2022
Increase in Observations of Socgholish Malware
THE THREAT Starting in early August 2022 and continuing through the month, eSentire identified a significant increase in Socgholish (aka. FakeUpdates) malware incidents. Socgholish is a loader type…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Sep 20, 2022
eSentire Recognized as Top Global MDR Provider by MSSP Alert, CrowdStrike and G2
Waterloo, ON - September 21, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), celebrated multiple industry recognitions as the leading global MDR provider, over the last week: Named #9, and the top pure play MDR provider on MSSP Alert’s Top 250 MSSPs global rankingRecognized as the CrowdStrike 2022 Global MSSP Partner of the Year Earned G2’s industry-renowned status…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Aug 31, 2022

eSentire Threat Intelligence Malware Analysis: Raccoon Stealer v2.0

18 minutes read
Speak With A Security Expert Now

Stealer malware is very popular among cybercriminals as they are easily configurable and only requires the victim to execute the binary for an attacker to receive the list of exfiltrated data. Most stealers operate under Malware-as-a-Service (MaaS) model, where the user can purchase the stealer, pack it, and distribute it mostly via fake cracked software.

This malware analysis delves deeper into the technical details of how the Raccoon Stealer v2.0 malware functions and our security recommendations to protect your organization from being exploited.

Key Takeaways

  • Raccoon Stealer version 2.0 is officially back. The latest version is significantly lighter and includes multiple features such as: the ability to create multiple proxy servers; full disk and USB drive scan; a loader feature using CMD/DLL/EXE commands (the user can also specify where to drop the secondary payload – LocalLow, Temp, AppData folders); and Telegram Bot configuration.
    • One of the main differences from the previous version is the ability to send the exfiltrated data in separate parts. This ensures that the attacker receives at least some amount of stolen data if antivirus products manage to detect the malicious activity at a runtime.
  • Raccoon Stealer is highly popular among Russian native speakers; most members in the private Telegram channel dedicated to Raccoon Stealer version 2.0 speak Russian.
  • Raccoon Stealer payloads can be delivered as an executable or a DLL (Dynamic Link Library) file. The executable file contains RC4 encrypted and Base64 encoded strings with a hardcoded RC4 key. The stealer uses run-time dynamic linking to be able to access the libraries only when needed, the technique is used to evade antivirus analysis and API (Application Program Interface) blocking.
  • The stealer is delivered via fake cracked software in a packed, encrypted form. The secondary payload can be any kind of malware.
  • The communication with the Command and Control (C2) server is performed in cleartext over port 80/HTTP.
  • eSentire’s TRU team assesses with high confidence that the same threat actor is behind the “84897964387342609301” campaign and the “7788926473349244” campaign. This assessment is based on the binary certificate and secondary C2 server used to serve a clipper.
  • eSentire’s TRU team assesses with high confidence that Raccoon Stealer v2.0 will be in high demand among other stealers based on affordability and usability. With the staff regrouping and new product launch, it is probable that the developers will implement more features in the future

Case Study

Raccoon Stealer first appeared on hacking forums around April 2019 and was advertised as a stealer written in C/C++ and can run on 32-bit and 64-bit systems without .NET dependencies (Figure 1). It came with a Telegram bot that sent the exfiltrated data directly to the attacker’s Telegram.

The original version also included multiple capabilities such as grabbing FileZilla sessions, acting as a dropper, grabbing system information, passwords, and cookies from browsers, stealing cryptocurrency wallets (Atomic, Jaxx liberty, Ripple, Ronin, Raven, Dash, Coinomi etc. wallets).

Figure 1: First apperance of Raccoon Stealer on a Russian-speaking hacking forum


Raccoon Stealer also sold a malicious program known as Raccoon Clipper that worked on the following crypto wallets:

The clipper program monitors the user’s clipboard for specific data and replaces it with the data defined by an attacker. In this case, if the user attempts to send Bitcoins to someone, the clipper replaces the copied wallet address with the attacker’s wallet address.

On March 25th, 2022, Raccoon Stealer operators announced a break and shut down the Raccoon Stealer MaaS project for a couple of months due to the loss of the main developer. However, they promised a comeback with Raccoon Stealer version 2.0 (Figure 2).

Figure 2: Discontinuation announcement for Raccoon Stealer version 1.0


On June 1, 2022, Raccoon Stealer announced the release of Raccoon Stealer 2.0 Beta test version that was developed from scratch with completely new front-end and back-end features (Figure 3).

Figure 3: Announcement of the new Raccoon Stealer version 2.0


On June 21, 2022, the official public Raccoon Stealer channel on Telegram became active again with an advertisement for a new version (Figure 4).

Figure 4: Raccoon Stealer version 2.0 advertisement on Telegram


On June 30th, 2022, the official announcement of the new version appeared on a Russian-speaking hacking forum. The beta version 2.0 was in testing mode for 2 months.

The new version of the stealer is priced at $150/week, $275/month, and $750/3 months.

The first samples of the new stealer started appearing in the wild on June 8, 2022. Threat researchers named the unknown malware as ‘RecordBreaker’ from the user-agent “Record” that it leverages during the communication with the C2 server.

Raccoon Stealer Version 2.0

Raccoon Stealer version 2.0 comes with a build written in C++. The size of the file is advertised to be significantly lighter than the previous version, approximately 55KB compared to 580KB since the run-time dependencies (CRT) are claimed to be removed.

The import functions are dynamically linked, almost all browsers are supported for cookies and credential exfiltration, Chrome cookie files, passwords are being decrypted on the C2 Server, supported crypto wallets include Coinbase, MetaMask, Brave, and Ronin.

The new stealer version also comes with a loader and a grabber, supports Chinese language for the stealer panel as well as Telegram bot configuration. The loader component allows an attacker to execute additional payloads on the infected system, the supported commands and file extensions for execution:

In the new version, an attacker can also choose a custom location (LocalLow, Temp, AppData) to drop the additional payloads.

The grabber component can do the recursive search and search across the entire disk, including mounted USB drives, using the command %DSK_235% or %DSK23% (the seller claims that it only takes 15-20 seconds for the full scan).

The stealer model has also changed. The attacker needs to install their own proxy server (up to 5 proxy IPs) through which the stealer binary, or build, will communicate. According to the seller, this increases the rates for successful malware execution and better performance.

It should be noted that in version 1.0, the stealer communicated with two requests:

As a result, the data was sent in parts during the collection process – browser profiles, screenshots, system information, and crypto wallets were sent separately. This was done to ensure that the attacker would still get at least some part of the exfiltrated data even if the antivirus detected the stealer in a runtime.

Raccoon Stealer “We steal, You deal!” analysis

Recently eSentire’s Threat Response Unit (TRU) team has observed multiple Raccoon Stealer v2.0 samples. We will look at one of the samples (MD5: 1aa8b18e333b780fe844b1d02c809324) that was delivered by a drive-by download.

The stealer spreads through the fake cracked software in a password-protected archive. The packed stealer is a 32-bit executable and weighs over 400MB and is packed with Themida packer and MPacker. Upon unpacking the stealer in the runtime, we extracted the payload (MD5: 42dd369c7b3312f4f8a6b20adae0f04d) which is approximately 7.85 MB. The payload contains the RC4 encrypted and Base64 encoded strings (Figure 5).

Figure 5: RC4 encrypted strings


What makes Raccoon Stealer v2.0 unique is that it uses the hardcoded RC4 key “edinayarossiya” which translates to “United Russia” in Russian language (Figure 6).

Figure 6: Translation of ‘edinayarossiya’ curtosey of Google Translate


The Table 1 shows the decrypted strings found in the sample. Some of the strings such as password.txt, autofill.txt, cookies.txt show the threat actor(s) intentions to exfiltrate sensitive data.

Table 1: Decrypted strings

RAM: %d MB\n CPU: %s (%d cores)\n Display size: %dx%d\n
Display Devices:\n%s\n OS: %s\n Locale: %s\n
cookies.sqlite formhistory.sqlite ews_
encryptedUsername":" grbr_ sqlite3_close
sqlite3_column_text16 sqlite3_column_bytes16 sqlite3_column_blob
sqlite3_finalize sqlite3_open16 sqlite3_step
sqlite3_prepare_v2 sqlite3.dll sstmnfo_
stats_version":" scrnsht_ pera
wallets wlts_ token:
tlgrm_ encrypted_key":" encryptedPassword":"
guid": httpRealm": &configId=
NUM:%s\nHOLDER:%s\nEXP:%s/%s\n NSS_Shutdown NSS_Init
MachineGuid Low BitBlt
CreateCompatibleBitmap CreateCompatibleDC Content-Disposition: form-dat
Content-Type: application/x-w Content-Type: multipart/form- Content-Type: text/plain;
Content-Type: application/x-o GetObjectW Gdi32.dll
GdiPlus.dll GdiplusStartup GdipSaveImageToFile
GdipCreateBitmapFromHBITMAP GdipGetImageEncoders GdipGetImageEncodersSize
GdipDisposeImage GET DeleteObject
\\passwords.txt \\autofill.txt \\cookies.txt
\\CC.txt Stable StretchBlt
SetStretchBltMode SelectObject SELECT origin_url, username_v
SELECT host_key, path, is_sece SELECT name_on_card, card_num SECITEM_FreeItem
SOFTWARE\\Microsoft\\Windows NT SProductName Profiles
POST PATH PK11_Authenticate
PK11_GetInternalKeySlot PK11_FreeSlot PK11SDR_Decrypt
User Data URL:%s\nUSR:%s\nPASS:%s\n Web Data
image/jpeg hostname":" nss3.dll
machineId= logins.json ldr_

Table 2: List of crypto wallets (wtls_) and file extensions the stealer searches for

wlts_exodus:Exodus;26;exodus;*;*partitio*,*cache*,*dictionar*
wlts_atomic:Atomic;26;atomic;*;*cache*,*IndexedDB*
wlts_jaxxl:JaxxLiberty;26;com.liberty.jaxx;*;*cache*
wlts_binance:Binance;26;Binance;*app-store.*;-
wlts_coinomi:Coinomi;28;Coinomi\Coinomi\wallets;*;-
wlts_electrum:Electrum;26;Electrum\wallets;*;-
wlts_elecltc:Electrum-LTC;26;Electrum-LTC\wallets;*;-
wlts_elecbch:ElectronCash;26;ElectronCash\wallets;*;-
wlts_guarda:Guarda;26;Guarda;*;*cache*,*IndexedDB*
wlts_green:BlockstreamGreen;28;Blockstream\Green;*;cache,gdk,*logs*
wlts_ledger:Ledger Live;26;Ledger Live;*;*cache*,*dictionar*,*sqlite*
wlts_daedalus:Daedalus;26;Daedalus Mainnet;*;log*,*cache,chain,dictionar*
wlts_mymonero:MyMonero;26;MyMonero;*;*cache*
wlts_xmr:Monero;5;Monero\\wallets;*.keys;-
wlts_wasabi:Wasabi;26;WalletWasabi\\Client;*;*tor*,*log*

Table 3: List of browser crypto wallet extensions (ews_) the stealer searches for

ews_ronin_e:kjmoohlgokccodicjjfebfomlbljgfhk;Ronin;Local Extension Settings ews_meta:nkbihfbeogaeaoehlefnkodbefgpgknn;MetaMask;Local Extension Settings
ews_metax:mcohilncbfahbmgdjkbpemcciiolgcge;MetaX;Local Extension Settings ews_xdefi:hmeobnfnfcmdkdcmlblgagmfpfboieaf;XDEFI;IndexedDB
ews_waveskeeper:lpilbniiabackdjcionkobglmddfbcjo;WavesKeeper;Local Extension Settings ews_solflare:bhhhlbepdkbapadjdnnojkbgioiodbic;Solflare;Local Extension Settings
ews_rabby:acmacodkjbdgmoleebolmdjonilkdbch;Rabby;Local Extension Settings ews_cyano:dkdedlpgdmmkkfjabffeganieamfklkm;CyanoWallet;Local Extension Settings
ews_coinbase:hnfanknocfeofbddgcijnmhnfnkdnaad;Coinbase;IndexedDB ews_auromina:cnmamaachppnkjgnildpdmkaakejnhae;AuroWallet;Local Extension Settings
ews_khc:hcflpincpppdclinealmandijcmnkbgn;KHC;Local Extension Settings ews_tezbox:mnfifefkajgofkcjkemidiaecocnkjeh;TezBox;Local Extension Settings
ews_coin98:aeachknmefphepccionboohckonoeemg;Coin98;Local Extension Settings ews_temple:ookjlbkiijinhpmnjffcofjonbfbgaoc;Temple;Local Extension Settings
ews_iconex:flpiciilemghbmfalicajoolhkkenfel;ICONex;Local Extension Settings ews_sollet:fhmfendgdocmcbmfikdcogofphimnkno;Sollet;Local Extension Settings
ews_clover:nhnkbkgjikgcigadomkphalanndcapjk;CloverWallet;Local Extension Settings ews_polymesh:jojhfeoedkpkglbfimdfabpdfjaoolaf;PolymeshWallet;Local Extension Settings
ews_neoline:cphhlgmgameodnhkjdmkpanlelnlohao;NeoLine;Local Extension Settings ews_keplr:dmkamcknogkgcdfhhbddcghachkejeap;Keplr;Local Extension Settings
ews_terra_e:ajkhoeiiokighlmdnlakpjfoobnjinie;TerraStation;Local Extension Settings ews_terra:aiifbnbfobpmeekipheeijimdpnlpgpp;TerraStation;Local Extension Settings
ews_liquality:kpfopkelmapcoipemfendmdcghnegimn;Liquality;Local Extension Settings ews_saturn:nkddgncdjgjfcddamfgcmfnlhccnimig;SaturnWallet;Local Extension Settings
ews_guild:nanjmdknhkinifnkgdcggcfnhdaammmj;GuildWallet;Local Extension Settings ews_phantom:bfnaelmomeimhlpmgjnjophhpkkoljpa;Phantom;Local Extension Settings
ews_tronlink:ibnejdfjmmkpcnlpebklmnkoeoihofec;TronLink;Local Extension Settings ews_brave:odbfpeeihdkbihmopkbjmoonfanlbfcl;Brave;Local Extension Settings
ews_meta_e:ejbalbakoplchlghecdalmeeeajnimhm;MetaMask;Local Extension Settings ews_ronin_e:kjmoohlgokccodicjjfebfomlbljgfhk;Ronin;Local Extension Settings
ews_mewcx:nlbmnnijcnlegkjjpcfjclmcfggfefdm;MEW_CX;Sync Extension Settings ews_ton:cgeeodpfagjceefieflmdfphplkenlfk;TON;Local Extension Settings
ews_goby:jnkelfanjkeadonecabehalmbgpfodjm;Goby;Local Extension Settings ews_ton_ex:nphplpgoakhhjchkkhmiggakijnkhfnd;TON;Local Extension Settings
ews_Cosmostation:fpkhgmpbidmiogeglndfbkegfdlnajnf;Cosmostation;Local Extension Settings ews_bitkeep:jiidiaalihmmhddjgbnbgdfflelocpak;BitKeep;Local Extension Settings
ews_gamestopext:pkkjjapmlcncipeecdmlhaipahfdphkd;GameStop;Local Extension Settings ews_stargazer:pgiaagfkgcbnmiiolekcfmljdagdhlcm;Stargazer;Local Extension Settings
ews_clv:nhnkbkgjikgcigadomkphalanndcapjk;CloverWallet;Local Extension Settings ews_jaxxlibertyext:cjelfplplebdjjenllpjcblmjkfcffne;JaxxLibertyExtension;Local Extension Settings

We observed the following Certificate information for the packed stealer binary:

Performing the search based on the serial number of the certificate, we found multiple Raccoon Stealer v2.0 samples (Figure 7).

Figure 7: Performing signature search based on the certificate serial number in VirusTotal


Raccoon Stealer v2.0 uses run-time dynamic linking technique (Figure 8) to access the libraries or DLLs, only when needed, with the help of LoadLibrary and GetProcAddress functions:

Figure 8: Run-time dynamic linking using LoadLibrary and GetProcAddress functions


The non-crypted and clean version of Raccoon Stealer v2.0 weighs only 55 KB as advertised and consists of 78 functions. The Raccoon Stealer distributor prohibits using the stealer without the crypter (the software that obfuscates and encrypts malware) and scanning the builds through virus scanners to prevent the increase of the detection rate and making the clean sample publicly available. Raccoon Stealer provides its own crypter to the clients for an extra payment.

Upon execution, the stealer makes two C2 connections: the first connection is to the main C2 server where the exfiltrated data is sent (45.133.216[.]200) while the second connection is to the IP that serves as a loader for the secondary payload (94.158.244[.]119) (Figure 9).

Figure 9: Stealer makes the connections to C2 servers


The IP address which serves the secondary payload was initially hosting the 32-bit binary “84897964387342609301” (MD5: 9f7bbc47a68cd4e2756f3b93ed11a992) that is disguised as Wmiprvse.exe (WMI Provider Host) (Figure 10).

Figure 10: The secondary payload "84897964387342609301" disguised as WMI Provider Host


Table 4: Upon analyzing the loader sample, we were able to extract the following strings:

jW5fQ5e-C7lR7tC1q 1AE12eEvYob8e5WVSkhainaDoFydHcxziz
3CXesBxRrLoQrhtXBzixcELUQqR94XyTan bc1qmla5mlcydy5ly4za7tf5xrwamuxt0jz6w62sl8
LggmPWTNgTPpY6evKrED2dy72wN9EDzgBQ MM1UY3oCPcBAbJWNL5f8CdaPgxFeM8KEmh
ltc1qf78tyv7ygtvnhlyak026956uhfh6wrpjgnuvsp 0xbbadfb56f56d37601f62039c8d368e13c3d5e210
433JgHYcvGfb5zCFFbfH3zW3HB6nz5ah1J6zSW8p2Ac6AvXCHzWacQdZD2snEnijjZVbhUxsMxVxwPHwopCGXFHWGDo59vU 832XKsTJiDCUSNjtnjcWVvXNwYKgzCoXPTejxnMhKHhNhb55RMyBgBMJpqS9RX7ywoKoV5pmTRdvvCMb3XsY4o9KHy5GLGE
D7kjwr9bTZCd4u8ws7KLvKsv71ai53vppJ addr1qxfaxxg87zn7y08wj784235sjussh5d0tvnf553nfqf3c2yn6vvs0u98ug7wa9u024rfp9epp0g67kexnffrxjqnrs5qlq308g
Ae2tdPwUPEZ4SGK88ZzwuAzcUsos6SBQA1rDpbMNZhJo2TezusztfvxkfU7 t1T8AFPn2G9oXE5ZPgAQSiipGwYyvgxavyX
bnb1zh48nf24wpcarq8clwfmxg5uggwwa9cqtpz6xk TGkPLc2XbSiDLdrxaiZpAzFu8WL37j1TYM
AaK9Z1EG6sZLfeVM3SkqUXFuamkDvBRfMy cosmos1ljx6qdfud54mhquec20nncrsp9zn0pmvlhjfuy
AGVDbNVutgwiep6615bjTJnQkScwWuUEMuU95NredRG5 XLZZIN45UKRRZIYERPIP3NLHZLRJB5MPBBK5NVDSCKCM6TY3CP4MJJYOWE
ronin:bbadfb56f56d37601f62039c8d368e13c3d5e210 Xb2miQJ1JjBJA6CTh1GYfDnzduSfRacTVg
rHDfnp9vP5aV81QqehsZZAEeKrgZUs3KyH RUG3uyX1vvgV3uadKnBPbgatH391U5E3E7
kernel32.dll Shlwapi.dll
ntdll.dll Shell32.dll
Ole32.dll User32.dll
\Microsoft\AddIns \WmiPrvSE.exe
hC5zF4xW4pD6iF6a.xml NodeJSEnvironmentUpdateTask
/C /create /F /sc minute /mo 5 /tn " " /tr "
C:\Windows\System32\schtasks.exe /C /create /F /tn "
" /XML " /C /Query /XML /TN "

The secondary payload appears to be a clipper, also known as Clipboard Hijacker, we mentioned previously. Some of the extracted strings are the attacker’s crypto wallet addresses (Figures 11-12).

Figure 11: Attacker's bitcoin balance


Figure 12: Attacker's Ripple balance on the account


The clipper creates persistence via Scheduled Tasks:

The first scheduled task runs the clipper every 5 minutes. The second scheduled task runs the task that is defined within the created XML file (Figure 13). This task is also named “NodeJSEnvironmentUpdateTask” and runs every 5 minutes, but it will run the dropped file named NodeDisplay.Container.exe (MD5: 74744fc068f935608dff34ecd0eb1f96) under C:\Users\<username>\AppData\Roaming\Microsoft\AddIns\.

Both executable payloads are clippers and contain the same wallet addresses.

Figure 13: Snipped of the XML file


It should be noted that the attacker also started serving a different 32-bit payload named “7788926473349244” (MD5: 2481b1a178d02579fae34366bf6b37b7) from the same IP address. The payload appears to be also a Clipboard Hijacker containing the previously mentioned wallet addresses of an attacker and disguised as Excel.exe application (Figure 14).

Figure 14: File description of the modified payload (7788926473349244)


The persistence is also achieved via Scheduled Task:

The XML file runs the clipper binary C:\Users\<username>\AppData\Roaming\Microsoft\Excel\cellexprev.exe every 5 minutes.

eSentire’s Threat Response Unit (TRU) team assesses with high confidence that the same threat actor is behind the “84897964387342609301” campaign and the “7788926473349244” campaign.

The stealer is distributed through the fake cracked software (Figure 15). The user then gets redirected to MediaFire or MEGA file hosting services to download the packed stealer. The malicious files have the common name “Setup.exe”, the IP address hosting and delivering the secondary payload is the same (94.158.244[.]119), and the files are also packed with Themida.

Figure 15: Fake cracked Source Insight software


Raccoon Stealer Version 2.0 Panel

Raccoon Stealer v2.0 supports three languages: Russian, Chinese, and English. The panel uses Cloudflare for DNS records so we assume that Raccoon Stealer operators also implemented the advertised DDoS (Distributed Denial of Service) protection from Cloudflare services.

The panel settings contain the options to set up a Telegram bot to receive the logs, 2FA, language interface, time zone, and the option to choose a blockchain explorer to check for the stolen wallet balances based on their addresses (Figure 16).

It takes approximately 5-7 minutes to get the logs sent by a Telegram bot after a successful infection. The example of the Telegram logs sent to an attacker is shown in Figure 16.

Figure 16: Raccoon Stealer v2.0 panel (Settings)


It takes approximately 5-7 minutes to get the logs sent by a Telegram bot after a successful infection. The example of the Telegram logs sent to an attacker is shown in Figure 17.

Figure 17: Logs sent from the configured Telegram Bot


The builds page contains the builds or stealer executables (Figure 18).

Figure 18: The Builds section of the panel


It should be noted that the stealer payload can be either an executable or DLL. The DLL payload is just slightly heavier than the executable (52.5 KB), and contains the ordinal [email protected] and has the same functionality as the executable.

Interestingly enough, the encrypted DLL sample has the strings in cleartext compared to the binary (Figure 19).

Figure 19: Cleartext strings in the DLL sample


The configuration can be added to the build to specify the rules for the loader and grabber (Figure 20). The build is tied to the personal proxy server, which the logs will go through. For the grabber, an attacker can specify which file extension to exfiltrate and folders as well as the maximum size. The loader capabilities have been previously mentioned.

Figure 20: Configuration section of the panel


The Logs panel (Figure 21) contains the successfully infected machines and their IP addresses.

Figure 21: Logs section of the panel


Figure 22: Captured password that was saved in the browser


An attacker can conveniently search for specific logs captured based on the countries, cookies, wallets, passwords within the panel using the Search option without having to directly download the exfiltrated data (Figure 23).

Figure 23: Search option in the panel


Raccoon Stealer v2.0 provides the support over Telegram (Figure 24). It also has a public and private channel. The private channel currently has 140 members in it and most of the members are native Russian speakers (Figure 24).

Figure 25: Raccoon Stealer private channel

Command & Control (C2) Communication

The communication with the C2 server is unencrypted over port 80/HTTP. First the infected machine would send a POST request to the C2 server using user-agent “mozzzzzzzzzzz” (eSentire TRU also observed the user-agent “record” used in the first POST request), the initial request contains the following command:

machineId=<MachineGuid>|<username>&configId=<stealer_build_value>

Then the C2 server starts serving the infected machine with all the DLL dependencies that the stealer needs to properly function that is later dropped under the %APPDATA%/LocalLow folder (Figure 26).

Figure 26: DLL dependencies pulled from C2 from the pcap


With the second POST request the infected machine sends the “System Info” text file which contains system information and installed applications (Figure 27).

Figure 27: System Info text file containing the system information and installed applications


The third POST request contains the cookie text file with all the cookies extracted from browsers (Figure 28).

Figure 28: Cookies.txt file


The last POST request contains the screenshot.jpg file captured on the infected host.

After each POST requests that contains “System Info.txt”, “ffcookies.txt” and “Screenshot.jpeg” files, the C2 server sends out a “received” command back to the infected host (Figure 29).

Figure 29: "received" command gets sent out to C2 server after each successful POST request


The summary of the C2 communications is outlined in Figure 30.

Figure 30: C2 communication diagram


We can also observe the stealer attempting to grab Telegram data and the loader component delivering the Clipboard Hijacker that we have mentioned previously. The secondary payload is delivered to %APPDATA% folder as an exe file (Figure 31). An example of the grabber component would look like this in the network traffic, where 400 is the maximum amount of data (KB) to grab:

grbr_Desktop:%USERPROFILE%\Desktop|*.txt,*.dat,*wallet*.*,*2fa*.*,*.exe|-|400|1|1|files

Figure 31: Exfiltrated data and the loader component


The attacker receives the logs in ZIP archive over Telegram, they also have the ability to download the logs over the link that supports multi-downloading from the panel. Multi-download is another feature that was introduced in Raccoon Stealer v2.0 to speed up the logs upload time. In the previous version the logs were collected from different servers, now the ZIP archive is collected on one server locally. The ZIP archive contains all the extracted data including cookies, passwords, binaries, screenshot, system information (Figures 32-33).

Figure 32: ZIP archive containing the exfiltrated logs


Figure 33: System Info text file

How eSentire is Responding

Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a full-scale response approach to combat modern cybersecurity threats by deploying countermeasures, such as:

Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU) 

We recommend implementing the following controls to help secure your organization against RacoonStealerV2 malware:

While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

Indicators of Compromise

Name Indicators
Setup.exe 1aa8b18e333b780fe844b1d02c809324
Setup.exe 2b222b532216497e5851077d65b1a61c
Extracted/unpacked payload 42dd369c7b3312f4f8a6b20adae0f04d
Clipper/Clipboard Hijacker (84897964387342609301.bin or WmiPrvSE.exe) 9f7bbc47a68cd4e2756f3b93ed11a992
hC5zF4xW4pD6iF6a.xml (Scheduled Task) f2c435a91cf9a3c700ad67e06438293b
Clipper/Clipboard Hijacker (NodeDisplay.Container.exe) 74744fc068f935608dff34ecd0eb1f96
Clipper/Clipboard Hijacker (7788926473349244.bin or cellexprev.exe) 2481b1a178d02579fae34366bf6b37b7
yqtfncwkobl.xml (Scheduled Task) a81596dd465b096a127a19523c8f23e7
Raccoon Stealer v2.0 Delphi sample d8e94b2e2ed7b34360a676ee6a47bcb9
Secondary payload hosting server 94.158.244[.]119
Raccoon Stealer C2 45.133.216[.]200
Raccoon Stealer C2 45.8.144[.]53
Raccoon Stealer C2 77.91.102[.]57/td>
Raccoon Stealer C2 193.43.146[.]17/td>

Yara Rules

rule RaccoonStealer_v2 {
    meta:
        author = "eSentire TI"
        date = "07/05/2022"
    strings:
        $beginning_of_decryption_func = {BF 44 C8 40 00 8D 4D FC 57 51 ?? ?? ?? 40 00 50 8B CE E8 ?? 46 00 00}
        $encrypted_string1 = {41 42 56 4C 6E 69 46 35 6A 4D 66 78 53 51 3D 3D}
        $encrypted_string2 = {5A 56 63 4D 75 42 77 77 67 6F 6A 78 4C 46 49 3D}
        $user_agent = {72 00 65 00 63 00 6F 00 72 00 64}
        $user_agent2 = {6D 00 6F 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A}
        $rc4_key = {65 64 69 6E 61 79 61 72 6F 73 73 69 79 61}
        $cleartext1 = "ews_"
        $cleartext2 = "tlgrm_"
        $cleartext3 = "grbr_"
    condition:
        3 of them 
        and (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)    
}

Skip To:

  • Key Takeaways
  • Case Study
  • How eSentire is Responding
  • Recommendations from eSentire’s Threat Response Unit (TRU) 
  • Appendix

Join 100,000+ Security Leaders

Get notified of the latest news, intel and helpful tools & assets. You can unsubscribe anytime.

By clicking the button below I confirm that I have read and agree to the eSentire privacy policy.

View Most Recent Blogs
eSentire Threat Response Unit (TRU)
eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.