[BreachExchange] Payment Card Skimmer Group Using Raccoon Info-Stealer to Siphon Off Data

Tue Dec 8 10:20:01 EST 2020

https://thehackernews.com/2020/12/payment-card-skimmer-group-using.html

A cybercrime group known for targeting e-commerce websites unleashed a
"multi-stage malicious campaign" earlier this year designed with an
intent to distribute information stealers and JavaScript-based payment
skimmers.

In a new report published today and shared with The Hacker News,
Singapore-based cybersecurity firm Group-IB attributed the operation
to the same group that's been linked to a separate attack aimed at
online merchants using password-stealing malware to infect their
websites with FakeSecurity JavaScript-sniffers (JS-sniffers).

The campaign progressed in four waves, starting in February and ending
in September, with the operators relying on specially-crafted phishing
pages and lure documents laced with malicious macros to download Vidar
and Raccoon information stealers onto victim systems.

The ultimate goal of the attack, the researchers noted, was to steal
payment and user data via several attack vectors and tools to deliver
the malware.

The fake web pages were created using the Mephistophilus phishing kit,
which allows attackers to create and deploy phishing landing pages
engineered for distributing malware.

"Attackers sent links to fake pages that informed victims about a
missing plugin required to display the document correctly," Group-IB
researchers explained in an analysis of the cybercrime group's tactics
last November. "If a user downloaded the plugin, their computer was
infected with the password-stealing malware."

While the first wave of the campaign in February and March delivered
the Vidar password stealer to intercept passwords from user browsers
and various applications, subsequent iterations switched to the
Raccoon stealer and AveMaria RAT to meet its objectives.

Raccoon, first documented by Cybereason last year, comes with a wide
range of capabilities and communicates with a command-and-control (C2)
server to siphon data — including screenshots, credit card
information, cryptocurrency wallets, stored browser passwords, emails,
and system details.

Raccoon is also unique in that it bypasses the blocking of active C2
servers by making a request to a Telegram channel ("blintick") in
order to receive the encrypted address of the C2 server, besides
offering 24×7 customer support to community questions and comments
through the chat service.

AveMaria RAT, likewise, is capable of ensuring persistence, recording
keystrokes, injecting malicious code, and exfiltrating sensitive
files, among others.

Both Vidar and Raccoon are sold as malware-as-a-service (MaaS) on
underground forums. The rental price for Vidar stealer ranges from
$250 to $300 per month, whereas the latter costs $200 a month to use.

Along with the four stages described above, Group-IB also observed an
interim phase between May to September 2020, during when as many as 20
online stores were infected with a modified JS-sniffer of the
FakeSecurity family.

Interestingly, the infrastructure used to distribute the Vidar and
Raccoon stealers shared similarities with those used to store the
sniffer code and collect stolen bank card data, leading the
researchers to link the two campaigns.

The development is yet another sign that adversaries are stepping up
their efforts to compromise online marketplaces to pilfer customer
payment information, even as law enforcement agencies are working to
tackle cybercrime.

Earlier this January, the Interpol, acting on digital forensic
evidence from Group-IB, nabbed three individuals associated with a
group called "GetBilling" as part of an operation codenamed Night Fury
for running a JS-sniffer campaign in Indonesia.