Raccoon Stealer Propagates Through Google SEO
The group behind Raccoon Stealer updated their services to include tools for stealing cryptocurrency from a victim's computer and new remote access features to install malware and steal files. The platform offers turnkey services for stealing browser-stored passwords and authentication cookies. According to new research from Sophos Labs, the platform has received an update that includes new tools and distribution networks to boost infected targets.
Raccoon Stealer evolved from inbox-based infections to one leverages Google Search. According to Sophos, hackers have been getting better in getting their web pages ranked higher in Google search results. The bait in this campaign is software pirating tools such as programs to crack licensed software or keygen programs that promise to generate registration keys to unlock licensed software. While the sites advertise themselves as a repository of cracked, legitimate software packages, the files are actually disguised droppers. Clicking on the links redirects to Javascript hosted on Amazon Web Services that shunt victims to one of multiple download locations, delivering different versions of the dropper.
What is unique about Raccoon Stealer is that, unlike other info-stealer services and malware targeting individuals via inboxes, it is distributed via malicious websites. Victims falling for the trick download a first-stage payload of an archive. The archive contains another password-protected archive and a text document containing a password used later in the infection chain. The archive containing the executable is password-protected to evade malware scanning. Opening the executable delivers self-extracting installers. They have signatures associated with self-extracting archives from tools such as 7zip or Winzip SFX, but cannot be unpacked by these tools. The signatures have been faked, or the headers of the files have been manipulated by the hackers behind the droppers to prevent unpacking without execution.
For management of infected systems, hackers use the secure messaging platform Telegram and further obfuscate communications using a RC4 encryption key to hide the configuration IDs associated with the Raccoon client. This is not a straightforward decryption process, a portion of the resulting string is trimmed from both the start and end of the channel description, and then the code decrypts the text with RC4 to obtain the C2 gate address. Raccoon operators connect to the gate to communicate with the C2. Criminals go on a scavenger hunt, stealing anything from browser-based data and cryptocurrency wallets. At the same time, the C2 is used to download SilentXMRMiner, written in Visual Basic .NET and obfuscated with Crypto Obfuscato while running.
The Raccoon Stealer infrastructure revealed 60 subdomains under the domain xsph[.]ru, with 21 active and registered through the Russian hosting provider SprintHost[.]ru. This Raccoon Stealer campaign shows how industrialized criminal activity has become. Hackers are increasingly using a collection of paid services, such as a dropper-as-a-service, to deploy Raccoon and a malware hosting-as-a-service. The group behind this Raccoon campaign are able to deploy malware, steal cookies and credentials and sell those stolen credentials.