Raccoon

Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019.

Type
Stealer
Origin
ex-USSR
First seen
1 February, 2019
Last seen
2 February, 2023
Also known as
Mohazo
Racealer
Global rank
15
Week rank
16
Month rank
15
IOCs
5635

Raccoon is an information stealer malware — a virus that threat actors use to retrieve sensitive data from infected machines. Also known as Mohazo and Racealer, this is a modern malware that was first sighted in 2019.

Although some consider this a relatively basic malware, excellent service from creators, who distribute it as malware as a service and a user-friendly, simplistic dashboard, helped make Raccoon quite popular. In fact, the malware has already managed to infect upwards of 100,000 devices and became one of the most mentioned viruses in hacker communities.

General description of Raccoon malware

Raccoon malware comes with fairly basic info stealer functions like RedLine and by itself lacks any kind of antivirus protection. There are also no functions that would complicate the analysis of the malware. However, Raccoon developers do suggest using a third-party crypter.

When it comes to the core functionality this virus depending on the configuration enabled by an attacker, can check system settings, capture screenshots, collect basic information like OS version, IP and username and steal passwords and logins from a variety of browsers. On top of that, the stealer can retrieve information from Microsoft Outlook as well as steal cryptocurrency wallets.

When the data collection process ends the data is packed into a .ZIP archive that is then sent to the attackers' server.

The functions described above are rather basic, however, reportedly excellent service provided by the malware creators helped make this virus quite popular. The team behind this virus pushes out constant improvements and fixes based on user feedback.

By providing an easy-to-use dashboard Raccoon developers ensured that even non-technically savvy attackers can operate this malware successfully by customizing its configurations effortlessly. Hundreds of thousands of infected victims in a matter of months since the malware’s release is the result.

Speaking of the team behind Raccoon. The identities of the people behind this virus are a mystery, but some known members of the hacker community are known to have connections with this virus. Evidence suggests that one of the people behind Raccoon is known in the online community as glad0ff. A long known hacker who is responsible for the development of multiple malicious programs like crypto miners and RATs.

However, he does not seem to be working alone as some information about the disputes within the team has been leaked online. For instance, in one message an individual accuses someone-else from the of stealing from a common account, leaving the project, and attempting to scam customers.

There is also reason to believe that Raccoon was developed by Russian-speaking hackers. This is suggested by mistakes in the English language found in the control panel as well as the fact that the malware stops execution if it detects that the victim is from Russia, Ukraine, Belarus, Kazakhstan, Kyrgyzstan, Armenia Tajikistan, or Uzbekistan. In addition, technical support is available in Russian and English languages, which also points to a potential x-USSR origin of the attackers.

Raccoon malware analysis

A video available in the ANY.RUN malware hunting service shows how a machine gets infected with Raccoon in real-time.

raccoon_process_graph

Figure 1: Here we can see the execution process of Raccoon. This graph was created in ANY.RUN.

racoon_text_report

Figure 2: Shows a text report that can help collect data about the malware execution in one place or make a presentation.

Raccoon execution process

Since Raccoon malware is a pretty standard example of a stealer-type malware, its execution process does not exactly stand out. In our analysis case, after the malware made its way into the infected system (does not matter which delivery method it would use) it downloaded additional modules from the Internet. These modules are mostly DLL dependencies which Raccoon requires to work correctly. After that, the malware began stealing information from browsers and the system and stored stolen data in an archive file. The file, in turn, was sent to the C2 server. Probably the same C&C server it was built in. Note that some versions of the Raccoon malware delete themselves after execution while others don't.

Raccoon stealer distribution

Raccoon stealer malware is distributed using multiple channels like browsers, however, the most popular destruction method is through the use of exploit kits. Attackers can even manage campaign configurations via the control panel. The malware utilizes mainly the Fallout exploit kit. This delivery method makes it possible for the infection to occur even without active user interaction — victims get infected while simply surfing the web.

The malware also makes its way to victim’s PCs Microsoft Office document attachments that are being distributed in mail spam campaigns. The contaminated document contains a macro that downloads the malware when enabled.

In addition, hackers have set up a Dropbox account where the malware is stored inside a .IMG file. Attackers use social engineering to trick victims into opening a malicious URL and download the infected file.

Finally, the last distribution method is “bundled malware”. When users download real software from suspicious websites sometimes Raccoon comes as an unwanted part of the package bundled with the legitimate program.

How to detect Raccoon using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Raccoon malware trojan using ANY.RUN's "Static Discovering". Open either the "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the file.

raccoon_static_discovering

Conclusion

While Raccoon malware is not a very technically advanced malicious program like Ursnif or Hawkeye, Raccoon sure made a lot of noise in the underground community in 2019, when it was first released. Available as a service for $200 per month, it came equipped with everything necessary to start a malware attack. And if a customer couldn’t do it on their own, they could always get support from the team behind this malware.

In fact, underground forums are filled with raving feedback about the excellent work of Raccoon support staff. Some even say that they were treated like real VIPs.

Developers have also shown that they are capable of rolling out updates very quietly and promise to upgrade the malware with Keylogger functionality in the near future.

While technical simplicity makes this threat relatively easy to defend against at the moment, growing popularity, extreme ease of use, and potential future improvement certainly suggest that this malware can become a big phenomenon. Some even say that Raccoon will replace Azorult.

ANY.RUN malware hunting service provides researchers with the ability to study samples of Raccoon in a controlled interactive environment and learn as much as possible about this malware. Hopefully, together we will neutralize or at least medicate the fallout from this and other cybersecurity threats.

IOCs

IP addresses
5.252.177.20
213.252.244.167
5.182.39.77
213.252.244.230
88.119.171.225
194.104.136.99
193.43.146.80
45.142.214.212
45.67.228.8
78.159.103.214
93.185.166.43
77.91.102.246
135.181.147.255
5.182.36.232
193.43.146.214
193.43.146.213
77.91.102.230
5.252.23.100
95.216.177.153
95.217.241.175
Hashes
93bc72073b407b80d44a3c6851d6ec87ad50f4ee2110839468f4cab1fea4f0fa
0e329b10547fa65367596eed24651d96f9c62c787a9a32df03a45178d20c4e49
79d15fe0a138498938885f09cfb7d3d2c8ca31bbe4f544a119be4a45a2c6c80d
ffb09c76e759b1eb296da2f6ef83effda857ee04b56cff319db8463dc85da6ae
b1f823cfd5709646a7e5b37b2363d478495d4b9491af1a25046d93ec96012498
17c0d5648287b4e09ecbe801099da44d46d6316c33adafd232e31afb1e7d62ce
556fb7cc6b628ee7a6664fc82f3be5b90ce3e8ce9c7d041d0c9f1aced208d986
1699a2187e4620311123a45b8fb52234e771ed71fe5e876bc6fbbb200a498b7c
801141da4575de79faca2497af48765a102be5ae935006edcffe5cec4a309b6d
12f67aca643168d1b8ca12795f9c67187ce0a3c292a31afcb02f6a31780121ce
bac760f4bbbee93e63a78bcaebf56448d2e1217bcb5b61db51ce44d3aac5cf6a
e33faf99534c6e5c36732cd910364bf7f923f70b91d9a63b2f288008b798ee21
3a23b5e129fcbfec2d79dedc468be9f9c809e936cf1a3ec0634da44b0cefec68
555f6a3b65733dab9765159edc147eadcb84080eab3a9e055872ee4e494d234b
38d0f6d2d2ccd86e63232e4c702202b167be54dd3c8e21d289f21f4d3775a1e5
12567de24a8dbc6c0103aa263217ad240098d7545e32546f35fd5b791b1869fa
7353feef1636889ed31594a1579317b2d1cdafd44776b4c34f45254b40768fae
31b3cb808ecb27ea14c16a8590439203bbd2815ae3c63d6e1214d470a58d02f1
022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03
86c4f9b00a27fe7291ee963b0f40c9242dcdf736259047561cff4bc417dd7de0
Domains
host-file-host6.com
www.brujas.club
technion.ac
telegka.top
telegatt.top
nemty10.hk
thuocnam.tk
vcctggqm3t.dattolocal.net
propelium.com
ns1.propelium.com
rbwtech.com
ns1.rbwtech.com
frederikkempe.com
isns.net
krupskaya.com
m-onetrading-jp.com
majul.com
searchkn1.sima-land.ru
njxyro.ddns.net
eltem.iptime.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy