04 May 2023  — 
MSP Threats Security Team

Raccoon Stealer: A popular and dangerous threat

Summary

  • Sold as malware-as-a-service on underground forums since 2019
  • Sample is PE32 executable, written in C/C++
  • Capable of stealing passwords, cookies, and crypto wallet data
  • Impersonates the product “ESET Security”
  • Packed with custom packer

Introduction

Raccoon Stealer, also known as Mohazo or Racealer, is an info-stealer malware that first appeared in 2019, and is available as malware-as-a-service (MaaS).

It can be obtained from cybercriminal forums; a subscription costs $200 per month. Raccoon Stealer has already infected over 100,000 devices in the wild, across organizations and individuals, and became one of the most-mentioned attacks on underground forums.

The malware is used to steal data like credit card information, nearly all existing desktop cryptocurrencies wallets, cookies, and passwords. Raccoon Stealer performs SQL queries using sqlite3.dll in order to get the user’s auto-login passwords, credit card details, cookies, and browser history. Raccoon Stealer is usually delivered through exploit kits and phishing attacks.

The FBI has identified many credentials stolen by this group. A website was created for any individuals who want to check whether their email address appears in the cache of stolen data.

Technical analysis

Upon performing the static analysis, it is clear that the sample is an x32 architecture portable executable binary written in C/C++ and works on a 32-bit operating system.

Acronis

This executable has a high entropy value in total (7.66444), and the section rsrc has an unusual entropy of 7.79713, which can indicate the presence of encrypted, compressed, encoded, and/or obfuscated data in the file. Furthermore, PE section 1 has an unusual name: zqHWbqh. 

Acronis

Upon peering further into the executable, the packer that was used is a custom one, appearing as simple numbers to make the research process more difficult.

Acronis
Acronis

In the malware file description, it says “ESET Live Installer” in order to impersonate the AV engine installer and further fool victims.

Acronis

When checking the resources, there is a file signature of “rcdata,” which has high entropy, and the language is identified as Russian.

Acronis

In the sample’s sections, there are two modules noted. It’s immediately clear that the malware has multiple calls to sleep with a high number of seconds. This is an evasion mechanism used by many malware strings to avoid being automatically analyzed inside a free sandbox, as most of the free sandboxes will limit the amount of execution time.

Acronis

In addition, the sample uses the function GetSystemInfo to check the number of CPU cores, in an attempt to avoid being run in a lab environment.

As an additional layer of protection, Raccoon Stealer invokes the IsDebuggerPresent API to check if it’s being debugged.

Raccoon Stealer begins execution by obtaining the locale identifier for the user language. If the default locale is in Russian, the malware will not execute.

Acronis
Acronis

Next, the malware tries to create a mutex with MUTEX_ALL_ACCESS rights. Using this access right increases the possibility that the malware must be run by an administrator.

Acronis

At the same time, the stealer spawns three new processes: AppLaunch.exe, raccoon.exe, and WerFault.exe.

The child processes are terminated almost immediately, only functioning as a pipe for the malware to inject the malicious payload into the memory of a legitimate process — APPLaunch.exe, which is the Microsoft .NET ClickOnce Launch Utility.

Acronis

WerFault.exe is the standard Windows error reporting tool used in Windows 10 and 11, allowing the system to track and report errors related to the operating system or applications. Antivirus engines commonly trust WerFault as it's a legitimate Windows executable signed by Microsoft, so launching it on the system won't usually trigger alerts to warn the victim. However, in this case, it uses a known DLL sideloading flaw to load the malicious DLL.

Raccoon Stealer attempts to steal data from the Bitwarden and 1Password password managers, and also from the Atomic cryptocurrency wallet. Attempts to steal Bitwarden data are done by accessing the JSON file under the path %APPDATA%\bitwarden\data.json.

Acronis

In addition to exfiltrating information, Raccoon Stealer can also take screenshots of the system. The malware creates a snapshot that includes all running process on the system with it.

Acronis

Raccoon Stealer also searches the infected host for email information.

Acronis

After retrieving the sought information, the stealer performs communication with the Telegram IP 149.143.167.99 in order to update its C2 address list.

The attackers behind Raccoon Stealer have been found using a chat app to store and update C2 addresses to spread within infected machines.

Acronis

As an additional step in creating communication, one of the child processes of the malware — APPLaunch.exe — attempts DNS queries to the actor-controlled domain.

Acronis
Acronis

After being executed, Raccoon Stealer creates a suspended mode process to inject code. Once the process is complete, both the Raccoon and WerFault objects are deleted. AppLaunch continues to run in the background and connects to a remote address when needed.

Conclusion

Raccoon Stealer made a lot of noise in the underground community in 2019 when it was first released. Despite being around for several years, this malware remains popular and has managed to infect a significant number of devices. One reason for this is that the Raccoon Stealer team offers genuine customer service, providing cybercriminals with an easy and low-cost way to engage in cybercrime.

This stealthy/sneaky malware is designed to gather data in small increments as it progresses, storing it until it can be transmitted in a single compressed file using Telegram for data exfiltration and infrastructure updates. With its up-to-date techniques and underground customer service, it is no wonder that Racoon Stealer remains popular to this day.

Detected by Acronis

Acronis Cyber Protect successfully detects and prevents execution of all known versions of Raccoon Stealer, before any harm can befall the system.

Acronis
Acronis

Indicators of compromise (IoCs)

Type
Indicator
Description
MD5
a680ae77d7dcbc614386f1b4ae2d6574
Packed Raccoon Stealer payload
SHA-256
e53adf92075e500d8e39bdc48c4e32c6d805062e7f27ac5882fb7681e467c742
Packed Raccoon Stealer payload
Import hash
d86b72152e3eb79509e879927a109d7c
Packed unique PE import hash shared by Raccoon Stealer payload
MD5
8a45293860c097c76de004e96bfe677a
Unpacked Raccoon Stealer payload
SHA-256
88a3b41a55f81d44834d3867f56993ea03cccd26f0878d17b117faf3f17ac501
Unpacked Raccoon Stealer payload
Import hash
2f1bba23d3f31d886fd20c963bc55038
Unpacked unique PE import hash
Domain
telegin[.]top
Malicious domain
Domain
tgmirror[.]top
Malicious domain
Domain
telemirror[.]top
Malicious domain
Domain
Telegka[.]top
Malicious domain
Domain
Telegatt[.]top
Malicious domain