Raccoon Stealer Announce Return After Hiatus

Introduction to Racoon Stealer

First observed in 2019 and advertised (Figure 1) as a ‘Malware-as-a-Service’ (MaaS) threat on various cybercriminal forums, Raccoon is an information stealer targeting victim credentials and cryptocurrency wallets.

Seemingly favored by some threat actors due to its simplicity, the malware element of Raccoon omits advanced features, such as those used to evade detection, and instead focuses on the ‘stealer’ task in hand.

Whilst this approach requires those deploying the threat to utilize third-party tools for evasion, such as cryptors or packers to thwart signature-based detection, the ongoing popularity and apparent success of Raccoon suggests that this has not been a problem for many.

Lacking their own distribution method, in the past Raccoon incidents appear to have begun with the delivery of malicious document attachments sent via an indiscriminate unsolicited email (malspam) campaign. It was also reported that Raccoon malware had dropped using third-party exploit kits and other malware families.

Raccoon samples have been seen to mimic other executables although, based on their filenames, these have likely been distributed via sites hosting copyright-infringing materials which, in themselves, should be considered high-risk and be avoided.

Further leading to Raccoon’s continued prevalence and success, those behind this MaaS offering are lauded for their high levels of service, and their management dashboard, much like the malware element, is reportedly straightforward and easy to use.

In 2019 Raccoon advertised on various cybercriminal forums with subscriptions available for $499 (US) for four months, $200 for one month and $75 for a ‘trial’ week. The minimal outlay combined with a positive reputation appealed to many less sophisticated threat actors, especially given the potential return on investment (ROI) following the resale or abuse of stolen credentials and cryptocurrency wallets.

But yesterday, Raccoon Infostealer announced its return after a hiatus of 6 months.

In October 2022, one of its main operators named, Mark Sokolovsky, responsible for the infrastructure of the Raccoon Infostealer, was arrested in the Netherlands with an extradition request from the United States due to its role in the operation of the Raccoon Infostealer’s malware-as-aservice or “MaaS”.

With his arrest, the FBI has collected data stolen from many computers that cybercriminals infected with Raccoon Infostealer. While an exact number has yet to be verified, FBI agents have identified more than 50 million unique credentials and forms of identification (email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc.) in the stolen data from what appears to be millions of potential victims around the world. The credentials appear to include over four million email addresses.

The arrest of Mark Sokolovsky caused the Raccoon Infostealer Operators to temporarily halt the operation for fear of being indicted. As mentioned above, the Raccoon Infostealer was one of the most famous and popular infostealer because of its relatively low price (USD$75 weekly subscription and $200 per month) and its promising features. Also known as “Racealer,” Racoon Infostealer is used to steal sensitive and
confidential information, including login credentials, credit card information, cryptocurrency wallets,
and browser information (cookies, history, autofill) from almost 60 applications.

New Features and Updates

1. Quick search for cookies and passes – The new Raccoon admin panel introduces a new way to
search for URLs in the latest version. This means finding specific links in large datasets is now
much faster, even when dealing with millions of documents and thousands of different links. The
improvement is not just a minor upgrade – it’s a significant step forward and changes in how
searches work for those who purchase Raccoon Malware, making them much quicker, even with
huge amounts of data.
This update aims to make it easier for Threat Actors to find the links they need, providing a new
level of convenience.

2. Automatic bot blocking and panel display – A new system is now added to the infostealer to
detect unusual activity patterns, such as multiple accesses from the same IP address or range. If
this system identifies suspicious behavior, it automatically deletes records associated with those
activities and updates the information on each client pad. This makes it harder for security tools
that use automation and bots for the detection of malware.

Legend: Green Smiley = Activity of the IP is normal. Red Smiley = High probability that bots or
other automated systems created or actively used the log.

3. Reporting System – This feature was added to block IP Addresses used by crawlers and bots
often used by Security Practitioners to monitor Raccoon Traffic

4. Log Statistics – With this, any Threat Actor who purchases the Raccoon Infostealer can see the
top countries by the number of logs, as in the first versions of our stealer.

Raccoon Stealer Behavior and Capabilities
Raccoon targets a wide range of applications and uses specific techniques to extract and harvest
data from those applications.
Additionally, it is observed that Raccoon performs the same procedure to extract data from its
targeted applications:
• Extract the application file that contains the sensitive data.
• Copy the file to a specific folder (%Temp%).
• Create and write a text file to the target application’s folder with the stolen information.
To obtain and decrypt credentials from applications, Raccoon acquires and downloads the DLLs
associated with those applications.

Racoon Stealer Target Applications
Browsers:

• Google Chrome
• Comodo Dragon
• Amigo
• Orbitum
• Bromium
• Nichrome
• RockMelt
• 360Browser
• Vivaldi
• Opera
• Sputnik
• Kometa
• Uran
• QIP Surf
• Epic Privacy
• CocCoc
• CentBrowser
• 7Star
• Elements
• TorBro
• Suhba
• Safer Browser
• Mustang
• Superbird
• Chedot
• Torch
• Internet Explorer
• Microsoft Edge
• Firefox
• WaterFox
• SeaMonkey
• PaleMoon

Email Clients:

• ThunderBird
• Outlook
• Foxmail

Cryptocurrency:

• Electrum
• Ethereum
• Exodus
• Jaxx
• Monero
• Bither

After successfully extracting data and information, Raccoon gathers all the files and collects it to a
newly created folder by the malware itself called “Log.zip”. Afterward, the file is sent to its
configured C&C server, removing all its infection traces.

The resurgence of the well-known infostealer group “Raccoon” following a hiatus has triggered alarm
in the cyber security landscape, particularly within the financial sector. The return of Raccoon
highlights the potential danger for industries like finance, which are prime targets for data breaches
and financial fraud.

Raccoon Stealer Control Panel

Hosted on a Tor onion service, Raccoon subscribers have access to a centralized control panel from which they can generate and/or manage campaign configurations, build Raccoon malware payloads, and view data stolen from victims.

Displayed in English by default, although also available in Russian, visitors to the control panel are prompted to log in using the username and password (Figure 2) they presumably received when subscribing.

Visitors can also view the Support page, without authentication, that provides both Jabber and Telegram contact details for those who are behind this MaaS threat (Figure 8).

Given the inability to purchase access through this official control panel, threat actors seeking access would presumably need to initiate contact with the Raccoon team, via their forum posts or using the contact details above to ‘subscribe’.

Although access to this control panel requires an active Raccoon subscription and credentials, screenshots previously shared by the threat actor provide an insight into its interface and functionality based on the available menu options (Figure 9)

Notably, the control panel makes use of JavaScript resources (Figure 10) that can be accessed without authentication and allows some of the current functionality to be determined, including features that would likely require administrative access.

In addition to this, the JavaScript exposes text related to the user agreement and FAQ sections, both of which are provided within the appendices for reference.

Administrative Options

Based on an analysis of the exposed JavaScript resource, the following additional menu options appear to be available to Raccoon’s administrators:

• • All logs

• • All statistics

• • News

• • Proxies

• • Users

Potentially leaving a subscriber unaware of their malware deployment’s success, code references related to the ‘All logs’ and ‘All statistics’ options appear to provide Raccoon administrators with the ability to access and/or delete data processed by the platform.

Theoretically allowing administrators to have their pick of any victim data, it would likely be naive to think that this would not be the case and may therefore be one cost of doing business with other cybercriminals, especially given the adage that there is no honor amongst thieves.

Commonly used for anonymization, even though the intent is not obvious from the JavaScript (Figure 11) and may be related to their gate infrastructure, the ‘Proxy’ option enables Raccoon administrators to add, remove and test proxies, including running checks against ‘VT’ (presumably VirusTotal) as well as assigning them to and from users.

Given that the Raccoon malware component does not appear to upload stolen data directly to this Tor onion site, it is possible that the proxy configuration is used to mask the exfiltration process to intermediate infrastructure, although, without further analysis, this is currently speculation.

Finally, the remaining administrative options are likely more self-explanatory with the ‘News’ option facilitating the creation of news articles or notifications and the ‘Users’ option providing subscriber management.

Statistics/Account

Likely displayed upon login and the default page for a subscriber visiting the control panel, the Statistics panel provides an at-a-glance overview of active campaigns (Figure 12).

Additionally, the Account section displays the current Main and Bonus balances, likely related to subscription funds, alongside options that allow the control panel interface to be switched between light and dark modes, the configuration of two-factor authentication, and a password reset function.

Notably, the ‘Check wallets’ option visible in the screenshot does not appear to be referenced by the current JavaScript resource and may have been removed. Whilst vague, this option may have provided the ability to determine the value of stolen cryptocurrency wallets, such as via public blockchain services, although with an increase in targeted currencies it may no longer be relevant.

Logs

Seemingly enhanced since Raccoon’s initial release, victim data presented within a legacy screenshot (Figure 13) is consistent with the malware’s current capabilities but lacks additional columns identified from an analysis of the currently deployed JavaScript resource.

Based on the current control panel, it appears that the ‘Logs’ table now shows the following headers:

• • GEO – Country code based on victim IP address geolocation.

• • IP – Victim IP address.

• • USR – Implies ‘username’ but may be another unique victim identifier (references ‘bot_id’).

• • UTC – Victim system time.

• • UA – Victim browser user-agent strings.

• • PWD – Number of acquired victim passwords.

• • CKE – Number of acquired victim cookies.

• • CC – Number of acquired victim credit card details.

• • WLT – Number of acquired victim cryptocurrency wallets.

• • TAG – Likely a user-customizable tag feature.

• • DAT – Potentially identifies date/time the data was acquired (references ‘create_data_unix’).

• • USR – Seemingly duplicated header displaying the victim’s username.

• • COM – Customizable comment field.

• • GET – Displays the exfiltrated file size and allows the Zip archive to be downloaded.

• • ACT – Additional ‘actions’ including the ability to delete the stolen data.

A comprehensive search capability is also provided within the Logs section (Figure 14) that, given the presence of an elasticsearch_id string within the JavaScript, may indicate that the control panel is using Elasticsearch to store stolen data.

Builds/Config

Undoubtedly used to configure and create Windows executables that contain the Raccoon stealer payload, the JavaScript resource provides an indication of the functionality present in the Builds and Configs sections of the control panel.

Based on the FAQ, subscribers have the ability to generate a single build, although multiple configurations are supported as these can be updated and downloaded from the C2 infrastructure mid-campaign. In addition to preventing subscriber abuse, such as account sharing or usage after license expiration, this eliminates the need for subscribers to rebuild their payload after making subtle configuration changes.

Having assigned a name to their configuration, the following options can be set:

• • Screenshots – Disabled by default; takes a screenshot of the victim desktop.

• • Browser history – Disabled by default; gathers 1,000 lines of recent web-browser history.

• • Self removal – Automatically removes Raccoon stealer after data exfiltration.

• • File loader URLs – Download and execute additional payloads on the victim host after data exfiltration.

Additionally, ‘file grabber rules’ can be configured to allow collection and exfiltration of files from victim hosts based on the following conditions:

• • Path – Starting directory on the victim host from which to start the ‘file grabber’; for example: C:\.

• • Mask – Comma-delimited list of filename masks including wildcards; for example: *.doc,*.xls.

• • Size Limit – Maximum size per file (up-to 100mb), in kilobytes; for example 150kb would be: 150.

• • Exceptions – Directories, within the specified path, to excluded from searches, for example: \Windows\.

• • Subfolders – Presumably enabling or disabling searches within subdirectories.

• • Shortcuts – Collect matching files referenced by shortcuts; for example, file.doc.lnk would download the corresponding file.doc.

After defining and selecting a configuration, the build process allows the creation of either a dynamic link library (DLL) or executable (EXE) that would enable the threat actor to deliver and launch the payload using their preferred method.

As a somewhat professional touch, and likely contributing toward the positive opinion of Raccoon, a test feature allows this newly built payload to be tested in a virtual machine maintained by the Raccoon team. Presumably used to check that the payload successfully executes and communicates with the C2 infrastructure, the conclusion of this test reportedly results in a notification being sent to the subscriber via the control panel.

Consistent with many other Russian-language cybercriminal threats, attention is drawn to the fact that Raccoon stealer will not function on victim hosts that are determined as being within the Commonwealth of Independent States (CIS) based on their system locale (language) or IP address. Subscribers are also reminded to ‘crypt’ their builds to evade detection and to ‘keep in mind’ that long-term use could increase the chances of detection (Figure 15).

Raccoon Stealer Payload

Having tested and secured their payload, the threat actor will need to deliver Raccoon to would-be victims.

Based on observations of recent activity, many appear to favor using malicious document attachments sent via unsolicited email (malspam) campaigns, potentially linked to the use of third-party exploit kits or other malware families, as well as Raccoon payloads being uploaded to file-sharing sites, such as those hosting copyright-infringing materials, and/or mimicking other executables.

Command & Control

Based on the intelligence gathered from the Raccoon Stealer control panel, each payload will attempt to communicate with some seemingly benign or legitimate URL from which an encrypted string is gathered and processed to obtain the true command and control (C2) URL, typically comprised of an IP address and potentially a /gate/log.php resource.

As detailed in a February 2020 analysis, Raccoon previously hid this C2 server address in an encrypted string that posed as a filename hosted on Google Drive, even though this is seemingly no longer the case.

Based on analysis of recent payloads, Raccoon currently communicates with websites offering Telegram URL shortening services. Upon access, the profile overview of a threat actor-controlled Telegram user is displayed (Figure 16) with the ‘description’ field containing an encrypted C2 string.

Parsing this HTML response, Raccoon locates the encrypted C2 URL by locating the preceding string description" dir="auto"> (Figure 17).

While this feature allows the C2 servers to be easily updated, the use of third-party Telegram URL shortening services rather than the legitimate service (https://t[.]me/<GROUP|USER>) allows defenders to detect and block anomalous behavior, especially given the low-reputation domains that these are hosted on.

Having decrypted and decoded the encrypted C2 URL, using its own XOR cipher routines, Raccoon calls home via a HTTP POST containing three parameters hidden in a base64 encoded and RC4 encrypted string (Figure 18):

• • b= – Bot identifier, comprised of the victim ‘machine GUID’, as found in the Windows registry, an underscore and the victim username.

• • c= – Configuration identifier, a hexadecimal string or hash that refers to a specific threat actor’s configuration.

• • f= – Configuration file format, only observed as being set to ‘JSON’.

• In response, the C2 server sends a JSON configuration, also base64 encoded and RC4 encrypted with the same passphrase, containing the following values (Figure 19):

  • _id – Identifier, potentially related to the threat actor or some combination of victim and/or configuration.

• • au – Previously known as attachment_url, specifies the C2 path containing supporting files used by the Raccoon payload such as sqlite3.dll.

• • ls – Previously known as libraries, supporting files for the Raccoon payload.

• • ip – Victim IP address.

• • location – Victim IP geolocation, contains country, country_code, state, state_code, city, zip, latitude and longitude.

• • c – Previously known as the config section, contains:

    • • m – Previously known as masks, specifies any file search masks used for data theft.
    • • lu – Previously known as loader_urls, specifies any additional payloads to be downloaded and executed after the conclusion of Raccoon’s data exfiltration.

• • lu – Seemingly a second loader_urls value.

• • rm – Disables (0) or enables (1) the self-removal feature.

• • is_screen_enabled – Disables (0) or enables (1) the screenshot feature.

• • is_history_enabled – Disables (0) or enables (1) the browser history acquisition feature.

• • depth – Undetermined, potentially a path depth used to limit the file search mask feature.