Raccoon

Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019.

Type
Stealer
Origin
ex-USSR
First seen
1 February, 2019
Last seen
21 February, 2020
Also known as
Mohazo
Racealer
Global rank
32
Week rank
22
Month rank
27
IOCs
98

Raccoon is an information stealer malware — a virus that threat actors use to retrieve sensitive data from infected machines. Also known as Mohazo and Racealer, this is a modern malware that was first sighted in 2019.

Although some consider this to be a relatively basic malware, excellent service from creators, who distribute it as malware as a service and a user-friendly, simplistic dashboard helped to make Raccoon quite popular. In fact, the malware has already managed to infect upwards of 100,000 devices and became one of the most mentioned viruses in hacker communities.

General description of Raccoon malware

Raccoon malware comes with fairly basic info stealer functions and by itself lacks any kind of antivirus protection. There also no functions that would complicate the analysis of the malware. However, Raccoon developers do suggest to use a third-party crypter.

When it comes to the core functionality this virus can check system settings, capture screenshots, collect basic information like OS version, IP and username and steal passwords and logins from a variety of browsers. On top of that, the stealer can retrieve information from Microsoft Outlook as well as steal cryptocurrency wallets.

When the data collection process ends the data is packed into a .ZIP archive that is then sent to the attackers.

The functions described above are rather basic, however, reportedly excellent service provided by the malware creators helped make this virus quite popular. The team behind this virus pushes out constant improvements and fixes based on user feedback.

By providing an easy-to-use dashboard Raccoon developers ensured that even non-technically savvy attackers can operate this malware successfully. Hundreds of thousands of infected victims in a matter of months since the malware’s release is the result.

Speaking of the team behind Raccoon. Identities of the people behind this virus are a mystery, but some known members of the hacker community are known to have connections with this virus. Evidence suggests that one of the people behind Raccoon is known in the online community as glad0ff. A long known hacker who is responsible for the development of multiple malicious programs like crypto miners and RATs.

However, he does not seem to be working alone as some information about the disputes within the team has been leaked online. For instance, in one message an individual accuses someone-else from the of stealing from a common-account, leaving the project and attempting to scam customers.

There is also reason to believe that Raccoon was developed by Russian-speaking hackers. This is suggested by mistakes in the English language found in the control panel as well as the fact that the malware stops execution if it detects that the victim is from Russia, Ukraine, Belarus, Kazakhstan, Kyrgyzstan, Armenia Tajikistan, or Uzbekistan. In addition, technical support is available in Russian and English languages, which also points to a potential x-USSR origin of the attackers.

Raccoon malware analysis

A video available in the ANY.RUN malware hunting service shows how a machine gets infected with Raccoon in real-time.

raccoon_process_graph

Figure 1: Here we can see the execution process of Raccoon. This graph was created in ANY.RUN.

racoon_text_report

Figure 2: Shows a text report that can help collect data about the malware execution in one place or make a presentation.

Raccoon malware execution process

Since Raccoon malware is a pretty standard example of a stealer type malware, its execution process does not exactly stand out. In our case, after the malware made its way into the infected system (does not matter which delivery method it would use) it downloaded additional modules from the Internet. These modules are mostly DLL dependencies which Raccoon requires to work correctly. After that, the malware began stealing information from the system and stored stolen data in an archive file. The file, in turn, was sent to the C2 server. Note that some versions of the Raccoon malware delete themselves after execution while others don't.

Raccoon malware distribution

Raccoon stealer malware is distributed using multiple channels, however, the most popular destruction method is through the use of exploit kits. The malware utilizes mainly the Fallout exploit kit. This delivery method makes it possible for the infection to occur even without active user interaction — victims get infected while simply surfing the web.

The malware also makes its way to victim’s PCs Microsoft Office document attachments that are being distributed in mail spam campaigns. The contaminated document contains a macro that downloads the malware when enabled.

In addition, hackers have set up a Dropbox account where the malware is stored inside a .IMG file. Attackers use social engineering to trick victims into opening a malicious URL and download the infected file.

Finally, the last distribution method is “bundled malware”. When users download real software from suspicious websites sometimes Raccoon comes as an unwanted part of the package bundled with the legitimate program.

How to detect Raccoon using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Raccoon malware trojan using ANY.RUN's "Static Discovering". Open either "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the file.

raccoon_static_discovering

Conclusion

While Raccoon malware is not a very technically advanced malicious program it sure made a lot of noise in the underground community in 2019, when it was first released. Available as a service for $200 per month, it came equipped with everything necessary to start a malware attack. And if a customer couldn’t do it on their own, they could always get support from the team behind this malware.

In fact, underground forums are filled with raving feedback about the excellent work of Raccoon support staff. Some even say that they were treated like real VIPs.

Developers have also shown that they are capable of rolling out updates very quietly and promise to upgrade the malware with Keylogger functionality in the near future.

While technical simplicity makes this threat relatively easy to defend against at the moment, growing popularity, extreme ease of use and potential future improvement certainly suggest that this malware can become a big phenomenon. Some even say that Raccoon will replace Azorult.

ANY.RUN malware hunting service provides researchers with an ability to study samples of Raccoon in a controlled interactive environment and learn as much as possible about this malware. Hopefully, together we will neutralize or at least medicate the fallout from this and other cybersecurity threats.

IOCs

IP addresses
104.155.44.42
35.228.57.136
35.198.141.56
35.228.134.218
35.228.134.218
34.90.238.61
35.228.215.155
34.90.199.36
34.65.176.45
35.228.28.245
35.246.8.131
35.228.121.96
35.205.213.237
35.205.213.237
34.65.233.80
35.228.239.183
35.240.77.90
35.228.248.113
34.76.145.229
35.228.183.206
Hashes
5f7aeeb9e3bdb3b354a018a197b37f4a63ff25360291f6b27da648b2e26af48a
a8140129d12ffd0afb889602946a6dde06ceb128eead149b6af28fe9a08d6b18
b9bed0b7f956d768dc57d76b1cd273ba60df4ef577fbabd1b0fcae724cafdd86
63aa745e70a1521e2805673a7b3dcd86c80113130df6d2b0a20e2d850df9e32d
672f58c59b7d86a19b238bda0e29d50e4037cdd77f73f7c63fa4db5939c35d10
f9535b4eab02d6daaafa55b32dec30dd154a45077934c3a8240a157b22110868
066887bd9f58d5025a4e95d9de6be87b172e3687e6f166b96ed950e162653875
914a82ee87c57dc5a7078090df6f393c95f6a6785c1c0c07f903c2ba7f380e49
4cfab0be95fdaf7bfb47fb094c1bb56cf4c96d89b958176206e3709c1f434e8e
a5dfe08d0c60d52df6aba0636de89f763afda2a88257d42a70b5a0d3896144b3
fe98a5962ccbfe27028fb2f602fb03dbf7c1d7b2fc53a85183b91bcada200672
379391b859fde903a8a2f5bda21893c5a480df601fe51e2d33df4fefb8c0d3fd
842788db8749b178b60d019d845e88f97ac82021b9c3ab9dcae628527a3ca2fb
eb850077ce87ef3d699f38d3897c3e42795a7ddf85222b173a9382c5cad43269
3b7e34b1d5b31b63f04b50e79ba6812160d7fcf05f1d24f2a2e1fd64473ad195
16d2aa16a779affe3e14eaa764b40bf03597cef867e4a63f3c058fbd40eebb2b
2638f4abac1d0f36a8e60f1ba9bc812fbec5dee4dc16136624a96fe1dbf0d957
e33f9ecf606a38893101b01dc1c25101ac32fd09bc8b9fca4f5ebedfe84a4db2
da02a5284a459d4c4f6d11c5325393fd88d1fc2d68e6f1b21c3933f8a1f1f920
8e444d3f80053d86368a81e5945f282fc97da6382d17e6da087ed02b6cd6e40b
Domains
majul.com
isns.net
elx01.knas.systems
thuocnam.tk
m-onetrading-jp.com
krupskaya.com
raccoon-gate.site

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More