[BreachExchange] New Raccoon Stealer Campaign Underscores an Evolving Threat

[Sophia Kingsbury]

https://www.darkreading.com/threat-intelligence/new-raccoon-stealer-campaign-underscores-an-evolving-threat

A new Raccoon Stealer campaign underscores the evolution of this
information-stealer, which has recently been distributed through a dropper
campaign to steal cryptocurrencies, cookies, and other types of information
on target machines.

Sophos researchers have been tracking a "particularly active" campaign by
attackers using Raccoon Stealer, a widely used information stealer. While
the campaign is no longer active, as its infrastructure is no longer
reachable, researchers say similar campaigns are still ongoing and have
published their findings to inform security practitioners of this
constantly evolving threat.

Raccoon Stealer has been in use for at least two years; developers run it
as a service for other criminals to buy and distribute. It's controlled
from a Tor-based command-and-control "panel" server and is regularly
updated with new features and bug fixes. Sophos notes that it's sold on
boards mostly in Russian; however, it also runs English ads and offers
English-language support.

The stealer is designed to take passwords, cookies, and the autofill text
for websites, including credit card information and other personal data
that may be stored in the browser. After a new "clipper" update, Raccoon
Stealer also targets cryptocurrency wallets and retrieve or drop files onto
target systems.

Info stealers are normally spread in one of two ways: One is via spam
email, as the payload of a malicious dropper or as a compressed executable;
the other is through a malicious website or sharing service. Most recent
samples of Raccoon Stealer are spread through a single dropper campaign
that leverages malicious websites promising access to pirated software.

These malicious sites linked to this campaign were search-engine optimized
to be high in the search results, in Google and other search engines, when
people searched for pirated software. These sites advertised "cracked"
legitimate software packages but the files were actually droppers in
disguise. When someone clicked a link to download, they were led to one of
many download locations. Each delivered a different version of the dropper,
researchers explain.

The dropper is in a zipped folder, inside of which is another zipped folder
containing a file with the password meant to unlock the cracked software.
Droppers in this campaign carried other malware, indicating these are most
likely "droppers as a service" and not directly tied to the attacker using
Raccoon Stealer. Operators randomize the destination a victim must access
to get to the download, so one could access the same site many times and
get different packages.

"Raccoon Stealer is just one of the things we saw being dropped by this
campaign," says Sean Gallagher, senior threat researcher at Sophos Labs.
"There were a bunch of other information stealers, some ransomware, and
also miners and clippers – malware that steals things out of clipboards,
especially if they match cryptocoin wallet numbers and things like that."

In a new twist for this campaign, the Raccoon Stealer developers added
their own clipper as a secondary package that can be downloaded. Criminals
can sign up for Raccoon Stealer, pay a fee, get access to its Tor-based
panel, and select which secondary payloads they want dropped.

The developers also assign a customer ID to each buyer so each executable
of the malware has a signature tied to the customer. This way, if the
malware appears on VirusTotal, they can trace it back to the person who may
have leaked it.

A Constantly Evolving Threat

New to this campaign was the attackers' strange use of Telegram, which they
used to deliver the address of a command-and-control gateway, Gallagher
notes.

The malware loader calls back to a Telegram channel, and in that channel is
a description that contains information on how to reach the gateway they
use to connect to the back-end server. It's not using the Telegram chat,
but the description of the chat channel, to convey information.

"That could be changed frequently," Gallagher says. "If you're doing
forensics on the contents of the chat channel, there are no messages there
to track. It's all going on in the changes to the name of the channel
itself."

Researchers have seen attackers do this sort of thing, in using the
metadata associated with different services as a command-and-control
channel before. However, Gallagher points out that the technique is growing
more prevalent. Sophos researchers have previously reported on attackers
using Discord channel to host, spread, and control malware targeting users.

In this case, he says it indicates the developers behind Raccoon Stealer
are seeking new ways to update their malware. This campaign netted the
attackers some $15,000 in cryptocurrency mined or stolen in a six-month
period, and the money is reinvested in developing new tactics.

"It's been in active development for a while, and every time it gets broken
they learn something new," he adds.

Info Stealers: Easy for Criminals, Tough for Defenders

Information stealers like this one fill an important role in the cybercrime
ecosystem, Sophos researchers note in a blog post on their findings. They
allow attackers to gather the extent of personal information that enables
identity theft, including the saved credentials and browser cookies that
facilitate access to Web-based resources. These credentials are often sold
online.

They also make it simple for low-level cybercriminals to target individuals
and organizations. An entry-level seven-day subscription to Raccoon Stealer
costs only $75, researchers report, and the developers don't vet buyers
before selling the malware. Novice criminals can easily find a buyer for
their stolen data and invest the funds in other illicit activity.

"We frequently see information stealers like this are a gateway to other
bad things happening," Gallagher says. "Those credentials that get stolen …
they get sold on a criminal marketplace and they're used for other crime."

That makes Raccoon Stealer and similar threats a top concern for
enterprises. Because it can steal cookies that enable access to corporate
resources like email and other cloud applications, the malware could get
hold of sessions that expose corporate data. It could also potentially lead
to business email compromise or ransomware, if an affiliate buys access to
a company network.

"Because we've become so dependent on Web-based services, this whole
cookie-stealing thing has become a much more critical part of enterprise
security," Gallagher adds. Over the past 18 months, as more people began to
work from home, there has been an increasing amount of exposure to this
type of threat because the dependency on Web services has grown.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210804/4f1644e0/attachment.html>