eSentire Threat Intelligence Malware Analysis: Raccoon Stealer v2.0

Stealer malware is very popular among cybercriminals as they are easily configurable and only requires the victim to execute the binary for an attacker to receive the list of exfiltrated data. Most stealers operate under Malware-as-a-Service (MaaS) model, where the user can purchase the stealer, pack it, and distribute it mostly via fake cracked software.

This malware analysis delves deeper into the technical details of how the Raccoon Stealer v2.0 malware functions and our security recommendations to protect your organization from being exploited.

Case Study

Raccoon Stealer first appeared on hacking forums around April 2019 and was advertised as a stealer written in C/C++ and can run on 32-bit and 64-bit systems without .NET dependencies (Figure 1). It came with a Telegram bot that sent the exfiltrated data directly to the attacker’s Telegram.

The original version also included multiple capabilities such as grabbing FileZilla sessions, acting as a dropper, grabbing system information, passwords, and cookies from browsers, stealing cryptocurrency wallets (Atomic, Jaxx liberty, Ripple, Ronin, Raven, Dash, Coinomi etc. wallets).

Raccoon Stealer also sold a malicious program known as Raccoon Clipper that worked on the following crypto wallets:

• BTC_1, BTC_3, BTC_bc1
• LTC_L, LTC_M, LTC_ltc1
• ETH
• XMR_4, XMR_8
• DOGE

The clipper program monitors the user’s clipboard for specific data and replaces it with the data defined by an attacker. In this case, if the user attempts to send Bitcoins to someone, the clipper replaces the copied wallet address with the attacker’s wallet address.

On March 25^th, 2022, Raccoon Stealer operators announced a break and shut down the Raccoon Stealer MaaS project for a couple of months due to the loss of the main developer. However, they promised a comeback with Raccoon Stealer version 2.0 (Figure 2).

On June 1, 2022, Raccoon Stealer announced the release of Raccoon Stealer 2.0 Beta test version that was developed from scratch with completely new front-end and back-end features (Figure 3).

On June 21, 2022, the official public Raccoon Stealer channel on Telegram became active again with an advertisement for a new version (Figure 4).

On June 30^th, 2022, the official announcement of the new version appeared on a Russian-speaking hacking forum. The beta version 2.0 was in testing mode for 2 months.

The new version of the stealer is priced at $150/week, $275/month, and $750/3 months.

The first samples of the new stealer started appearing in the wild on June 8, 2022. Threat researchers named the unknown malware as ‘RecordBreaker’ from the user-agent “Record” that it leverages during the communication with the C2 server.

Raccoon Stealer Version 2.0

Raccoon Stealer version 2.0 comes with a build written in C++. The size of the file is advertised to be significantly lighter than the previous version, approximately 55KB compared to 580KB since the run-time dependencies (CRT) are claimed to be removed.

The import functions are dynamically linked, almost all browsers are supported for cookies and credential exfiltration, Chrome cookie files, passwords are being decrypted on the C2 Server, supported crypto wallets include Coinbase, MetaMask, Brave, and Ronin.

The new stealer version also comes with a loader and a grabber, supports Chinese language for the stealer panel as well as Telegram bot configuration. The loader component allows an attacker to execute additional payloads on the infected system, the supported commands and file extensions for execution:

• EXE
• DLL
• CMD
• PowerShell (The PowerShell command can be used for different purposes including fake/decoy pop-up messages or getting IP address of an infected machine via iplogger)

In the new version, an attacker can also choose a custom location (LocalLow, Temp, AppData) to drop the additional payloads.

The grabber component can do the recursive search and search across the entire disk, including mounted USB drives, using the command %DSK_235% or %DSK23% (the seller claims that it only takes 15-20 seconds for the full scan).

The stealer model has also changed. The attacker needs to install their own proxy server (up to 5 proxy IPs) through which the stealer binary, or build, will communicate. According to the seller, this increases the rates for successful malware execution and better performance.

It should be noted that in version 1.0, the stealer communicated with two requests:

• The first request would collect the data on the victim’s machine
• The second request would then send the full exfiltrated data after collection.

As a result, the data was sent in parts during the collection process – browser profiles, screenshots, system information, and crypto wallets were sent separately. This was done to ensure that the attacker would still get at least some part of the exfiltrated data even if the antivirus detected the stealer in a runtime.

Raccoon Stealer “We steal, You deal!” analysis

Recently eSentire’s Threat Response Unit (TRU) team has observed multiple Raccoon Stealer v2.0 samples. We will look at one of the samples (MD5: 1aa8b18e333b780fe844b1d02c809324) that was delivered by a drive-by download.

The stealer spreads through the fake cracked software in a password-protected archive. The packed stealer is a 32-bit executable and weighs over 400MB and is packed with Themida packer and MPacker. Upon unpacking the stealer in the runtime, we extracted the payload (MD5: 42dd369c7b3312f4f8a6b20adae0f04d) which is approximately 7.85 MB. The payload contains the RC4 encrypted and Base64 encoded strings (Figure 5).

What makes Raccoon Stealer v2.0 unique is that it uses the hardcoded RC4 key “edinayarossiya” which translates to “United Russia” in Russian language (Figure 6).

The Table 1 shows the decrypted strings found in the sample. Some of the strings such as password.txt, autofill.txt, cookies.txt show the threat actor(s) intentions to exfiltrate sensitive data.

Table 1: Decrypted strings

Table 2: List of crypto wallets (wtls_) and file extensions the stealer searches for

Table 3: List of browser crypto wallet extensions (ews_) the stealer searches for

We observed the following Certificate information for the packed stealer binary:

• AVG Technologies USA, LLC
• Serial Number: 0e31e48d08065b098f84e7c510336074
• Thumbprint: 95ab6bca9a015d877b443e71cb09c0ed0b5de811

Performing the search based on the serial number of the certificate, we found multiple Raccoon Stealer v2.0 samples (Figure 7).

Raccoon Stealer v2.0 uses run-time dynamic linking technique (Figure 8) to access the libraries or DLLs, only when needed, with the help of LoadLibrary and GetProcAddress functions:

• LoadLibrary function helps the system to locate the specific DLL
• GetProcAddress retrieves the address of an exported function from the DLL. The technique is used to evade antivirus analyses and suspicious API blocking.

The non-crypted and clean version of Raccoon Stealer v2.0 weighs only 55 KB as advertised and consists of 78 functions. The Raccoon Stealer distributor prohibits using the stealer without the crypter (the software that obfuscates and encrypts malware) and scanning the builds through virus scanners to prevent the increase of the detection rate and making the clean sample publicly available. Raccoon Stealer provides its own crypter to the clients for an extra payment.

Upon execution, the stealer makes two C2 connections: the first connection is to the main C2 server where the exfiltrated data is sent (45.133.216[.]200) while the second connection is to the IP that serves as a loader for the secondary payload (94.158.244[.]119) (Figure 9).

The IP address which serves the secondary payload was initially hosting the 32-bit binary “84897964387342609301” (MD5: 9f7bbc47a68cd4e2756f3b93ed11a992) that is disguised as Wmiprvse.exe (WMI Provider Host) (Figure 10).

Table 4: Upon analyzing the loader sample, we were able to extract the following strings:

The secondary payload appears to be a clipper, also known as Clipboard Hijacker, we mentioned previously. Some of the extracted strings are the attacker’s crypto wallet addresses (Figures 11-12).

The clipper creates persistence via Scheduled Tasks:

• /C /create /F /sc minute /mo 5 /tn "NodeJSEnvironmentUpdateTask" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\WmiPrvSE.exe" (MD5: 9f7bbc47a68cd4e2756f3b93ed11a992)
• /C /create /F /tn "NodeJSEnvironmentUpdateTask" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\hC5zF4xW4pD6iF6a.xml" (MD5: f2c435a91cf9a3c700ad67e06438293b)

The first scheduled task runs the clipper every 5 minutes. The second scheduled task runs the task that is defined within the created XML file (Figure 13). This task is also named “NodeJSEnvironmentUpdateTask” and runs every 5 minutes, but it will run the dropped file named NodeDisplay.Container.exe (MD5: 74744fc068f935608dff34ecd0eb1f96) under C:\Users\<username>\AppData\Roaming\Microsoft\AddIns\.

Both executable payloads are clippers and contain the same wallet addresses.

It should be noted that the attacker also started serving a different 32-bit payload named “7788926473349244” (MD5: 2481b1a178d02579fae34366bf6b37b7) from the same IP address. The payload appears to be also a Clipboard Hijacker containing the previously mentioned wallet addresses of an attacker and disguised as Excel.exe application (Figure 14).

The persistence is also achieved via Scheduled Task:

• /C /create /F /sc minute /mo 5 /tn "ExcelUpdateTaskUA{T0U3T7L6V-L9N0-X6X8D-V5S0-X3L4FL9G9S}" /tr "C:\Users\user\AppData\Roaming\Microsoft\Excel\cellexprev.exe (MD5: 2481b1a178d02579fae34366bf6b37b7)
• /C /create /F /tn "ExcelUpdateTaskUA{T0U3T7L6V-L9N0-X6X8D-V5S0-X3L4FL9G9S}" /XML "C:\Users\user\AppData\Roaming\Microsoft\Excel\yqtfncwkobl.xml (MD5: a81596dd465b096a127a19523c8f23e7)

The XML file runs the clipper binary C:\Users\<username>\AppData\Roaming\Microsoft\Excel\cellexprev.exe every 5 minutes.

eSentire’s Threat Response Unit (TRU) team assesses with high confidence that the same threat actor is behind the “84897964387342609301” campaign and the “7788926473349244” campaign.

The stealer is distributed through the fake cracked software (Figure 15). The user then gets redirected to MediaFire or MEGA file hosting services to download the packed stealer. The malicious files have the common name “Setup.exe”, the IP address hosting and delivering the secondary payload is the same (94.158.244[.]119), and the files are also packed with Themida.

Raccoon Stealer Version 2.0 Panel

Raccoon Stealer v2.0 supports three languages: Russian, Chinese, and English. The panel uses Cloudflare for DNS records so we assume that Raccoon Stealer operators also implemented the advertised DDoS (Distributed Denial of Service) protection from Cloudflare services.

The panel settings contain the options to set up a Telegram bot to receive the logs, 2FA, language interface, time zone, and the option to choose a blockchain explorer to check for the stolen wallet balances based on their addresses (Figure 16).

It takes approximately 5-7 minutes to get the logs sent by a Telegram bot after a successful infection. The example of the Telegram logs sent to an attacker is shown in Figure 16.

It takes approximately 5-7 minutes to get the logs sent by a Telegram bot after a successful infection. The example of the Telegram logs sent to an attacker is shown in Figure 17.

The builds page contains the builds or stealer executables (Figure 18).

It should be noted that the stealer payload can be either an executable or DLL. The DLL payload is just slightly heavier than the executable (52.5 KB), and contains the ordinal _Start@16 and has the same functionality as the executable.

Interestingly enough, the encrypted DLL sample has the strings in cleartext compared to the binary (Figure 19).

The configuration can be added to the build to specify the rules for the loader and grabber (Figure 20). The build is tied to the personal proxy server, which the logs will go through. For the grabber, an attacker can specify which file extension to exfiltrate and folders as well as the maximum size. The loader capabilities have been previously mentioned.

The Logs panel (Figure 21) contains the successfully infected machines and their IP addresses.

• BLD – build number of the stealer
• GEO – geolocation (country)
• PWD – stands for passwords as opposed to present working directory (Figure 22)
• CKE – cookies
• WLT –crypto wallets
• CC – credit card information
• ACT – the number of logs collected

An attacker can conveniently search for specific logs captured based on the countries, cookies, wallets, passwords within the panel using the Search option without having to directly download the exfiltrated data (Figure 23).

Raccoon Stealer v2.0 provides the support over Telegram (Figure 24). It also has a public and private channel. The private channel currently has 140 members in it and most of the members are native Russian speakers (Figure 24).

Command & Control (C2) Communication

The communication with the C2 server is unencrypted over port 80/HTTP. First the infected machine would send a POST request to the C2 server using user-agent “mozzzzzzzzzzz” (eSentire TRU also observed the user-agent “record” used in the first POST request), the initial request contains the following command:

machineId=<MachineGuid>|<username>&configId=<stealer_build_value>

Then the C2 server starts serving the infected machine with all the DLL dependencies that the stealer needs to properly function that is later dropped under the %APPDATA%/LocalLow folder (Figure 26).

With the second POST request the infected machine sends the “System Info” text file which contains system information and installed applications (Figure 27).

The third POST request contains the cookie text file with all the cookies extracted from browsers (Figure 28).

The last POST request contains the screenshot.jpg file captured on the infected host.

After each POST requests that contains “System Info.txt”, “ffcookies.txt” and “Screenshot.jpeg” files, the C2 server sends out a “received” command back to the infected host (Figure 29).

The summary of the C2 communications is outlined in Figure 30.

We can also observe the stealer attempting to grab Telegram data and the loader component delivering the Clipboard Hijacker that we have mentioned previously. The secondary payload is delivered to %APPDATA% folder as an exe file (Figure 31). An example of the grabber component would look like this in the network traffic, where 400 is the maximum amount of data (KB) to grab:

grbr_Desktop:%USERPROFILE%\Desktop|*.txt,*.dat,*wallet*.*,*2fa*.*,*.exe|-|400|1|1|files

The attacker receives the logs in ZIP archive over Telegram, they also have the ability to download the logs over the link that supports multi-downloading from the panel. Multi-download is another feature that was introduced in Raccoon Stealer v2.0 to speed up the logs upload time. In the previous version the logs were collected from different servers, now the ZIP archive is collected on one server locally. The ZIP archive contains all the extracted data including cookies, passwords, binaries, screenshot, system information (Figures 32-33).

How eSentire is Responding

Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a full-scale response approach to combat modern cybersecurity threats by deploying countermeasures, such as:

• Implementing threat detections and BlueSteel, our machine-learning powered PowerShell classifier, to identify malicious command execution and ensure that eSentire has visibility and detections are in place across eSentire MDR for Endpoint and MDR for Network.

• Performing global threat hunts for indicators associated with Raccoon Stealer V2.

Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU) 

We recommend implementing the following controls to help secure your organization against RacoonStealerV2 malware:

• Implement a Phishing and Security Awareness Training (PSAT) program that educates & informs employees on emerging threats in the threat landscape
• Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions

• Encourage your employees to use password managers instead of using the password storage feature provided by web browsers.

While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

• https://twitter.com/James_inthe_box/status/1534593736356663296?s=20&t=t1cEYB2pSBS9XszK2OQMrg
• https://knowledge.ni.com/KnowledgeArticleDetails?id=kA00Z000000kHBmSAM#:~:text=An%20ordinal%20number%20an%20identifier,to%20it%20%2D%20its%20ordinal%20number
• https://docs.microsoft.com/en-us/windows/win32/dlls/run-time-dynamic-linking
• https://docs.microsoft.com/en-us/windows/win32/api/

Indicators of Compromise

Yara Rules

rule RaccoonStealer_v2 {
    meta:
        author = "eSentire TI"
        date = "07/05/2022"
    strings:
        $beginning_of_decryption_func = {BF 44 C8 40 00 8D 4D FC 57 51 ?? ?? ?? 40 00 50 8B CE E8 ?? 46 00 00}
        $encrypted_string1 = {41 42 56 4C 6E 69 46 35 6A 4D 66 78 53 51 3D 3D}
        $encrypted_string2 = {5A 56 63 4D 75 42 77 77 67 6F 6A 78 4C 46 49 3D}
        $user_agent = {72 00 65 00 63 00 6F 00 72 00 64}
        $user_agent2 = {6D 00 6F 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A}
        $rc4_key = {65 64 69 6E 61 79 61 72 6F 73 73 69 79 61}
        $cleartext1 = "ews_"
        $cleartext2 = "tlgrm_"
        $cleartext3 = "grbr_"
    condition:
        3 of them 
        and (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)    
}