Raccoon Stealer Spreads Malware Via Google SEO

The enhanced version of the Raccoon stealer-as-a-service platform, found to be bundled with updated malware, is hidden in pirated software where it collects cryptocurrency coins and installs a software dropper to spread more malware, according to Threat Post

The threat actors who used the Raccoon Stealer platform to commit various cybercrimes have expanded their services to include additional tools to access a target’s computer and malware that allows remote access to download data. The study shows that the malware transferred to the victim’s device can include malicious browser extensions, YouTube click (scam bot), Djvu/Stop (a ransomware for home users), crypto-miners, and Clippers (crypto-stealing malware).

Stealer-as-a-service platforms are typically exploited by newbie hackers. This service allows you to take sensitive information such as login credentials, cookies, and other passwords that your target’s browser might keep. Recent research conducted by Sophos Labs discovered that the platform has been modified to include new distribution networks and techniques.

The use of cracked software may compromise the entire system 

Instead of inbox-based infections as before, Raccoon Stealer now uses Google Search. Sophos claims that threat actors have mastered the optimization of malicious web pages for Google search results. As part of the campaign, victims are offered software piracy tools such as cracking software or keygen applications that promise to unlock licensed software.

The study shows the modus operandi of Raccoon Stealer, that typically starts with the download of an archived file. The file contains another archive that is protected by a password and a text document with a password that is later used in the infection chain. After unpacking, the setup executable can easily bypass the malware scan because it is password protected. After opening the executable file, the next step is triggered, retrieving more self-extracting installers.

It is estimated that more than $13,200 in Bitcoin was stolen and $2,900 was generated from the victims’ devices through illegal crypto mining 

The developers of The Stealer have added signatures of self-extracting tools such as WinZIP SFX or 7Zip. Even if the archives cannot be extracted with these extraction tools, it is possible that the malware droppers have done so to prevent unpacking without exceptions, Sophos says.

Telegram and an RC4 encryption key are used by threat actors to disguise the Raccoon customer’s configuration IDs. In order to communicate with C2, raccoons need the address of the C2 gate, where C2 is a valuable tool used to exfiltrate browser-based data and cryptocurrency wallets. The application is obfuscated with Crypto Obfuscato and is written in Visual Basic.NET.

Sophos discovered that since October 2020, the second payload of the Raccoon Stealer has been distributing 18 different malware versions. About $13,200 US worth of bitcoin was stolen from victims during the Raccoon campaign, as well as $2,900 in cryptocurrency being generated using victims’ computers, Sophos believes. The estimated cost of running the illegal enterprise is $1,250.

Similar Posts