Racoon Stealer now going after your Crypto
Written by Karolis Liucveikis on
As info stealers go Racoon Stealer has to be one of the more prolific malware strains of its type in recent memory. This is due in part to the malware being offered as a service, similar to how ransomware-as-a-service or other malware-as-a-service business models have been adopted recently. This model relies on the malware’s developer constantly updating the malware to make it an attractive option to other hackers and so that it warrants the monthly subscription fee.
Racoon Stealer’s latest update enables the malware customers to steal crypto transactions through the use of a clipper. These malware strains operate by replacing the wallet addresses used in a transaction with a wallet address used by the attacker.
Given the length and complexity of wallet addresses, users find it easier to copy the wallet address to the clipboard and then paste. The clipper will replace a copied address in the clipboard with one they control.
The clipper has been added in addition to the info stealer being able to collect passwords, cookies, and the “autofill” text for websites, including credit card data and other personal identifying information that may be stored by the browser.
Info stealers are increasingly targeting data stored in browsers. More and more we rely on our chosen browser to store passwords and other credentials essential to our daily lives, including those used in banking and other financial activities. What makes Racoon Stealer an ever-present threat is the constant updates and feature upgrades. Further, the malware’s developers are able to maintain tight control over who has access to the malware.
This is possible via customers being issued a unique id that is mirrored in the code so that if a sample lands on VirusTotal, as an example, the developers can see which customer compromised their operation. In a report published by Sophos Labs, researchers elaborated further on the info stealer-as-a-service offered, stating,
“Like many stealers, Raccoon Stealer is sold as a service, rather than as a standalone malware. Its developers have been marketing the stealer-as-a-service platform for (at least) the last two years on the dark web on malware-related forums. Controlled from a Tor-based command and control “panel” server, Raccoon is much like other commercial web-based services in that it is under perpetual development, with new features and bug fixes shipping regularly—even providing automated updates to malware that’s already deployed on infected machines. While sold on boards that are predominantly in Russian, Raccoon also advertises in English and offers English-language support.”
Racoon Stealer is well-known for both being bundled with and bundling other malware payloads. In the latest campaign discovered by Sophos, a coin miner has also been bundled with the malware. This enables attackers to utilize the victim’s computing resources to mine cryptocurrencies. As discussed above, the malware is also bundled with a clipper, capable of causing a faster and more devastating financial loss to the victim than any miner.
The malware is a named QuilClipper and as mentioned above regarding clippers, the malware looks to replace the contents of the victim's clipboard with attacker-controlled wallet addresses. This secondary payload delivered from Raccoon is a loader, written in .NET, heavily obfuscated, and packed.
Static analysis on the unpacked sample revealed that the loader contains 3 main components: an encrypted payload, an anti-virtual machine module to evade analysis, and a RunPE module to do the same sort of process-hollowing that Raccoon Stealer itself uses to execute.
QuilClipper can steal not only wallet addresses but also Steam transactions. It does this by continuously monitoring the system clipboard of Windows devices it infects. The malware can detect what is added to the clipboard by a series of regular expressions within the code to track what currency the wallet is. This then informs the program what wallet needs to be inserted to divert funds to the attacker’s specific wallet.
The connection between QuilClipper and Racoon Stealer seems to pivot on a YouTube video advertising both. To better understand the connection between Racoon Stealer and QuilClipper researchers took a deep dive into Racoon Stealer’s infrastructure. Researchers discovered that there were approximately 60 domains linked to the original domain used by Racoon Stealers developers. Researchers further noted,
“Many of the subdomains followed the same naming pattern as the subdomain used in our Raccoon sample, while others were clearly reserved for other tasks—including phishing (such as subdomains named “wellsfargosecurecloud” and “chaseonlinesecure”). Sophos telemetry for subdomains shows it being regularly used as part of phishing activity for at least the last year. The hosts used to serve these subdomain names have been hosted on various shared IP addresses on SprintHost’s infrastructure in St. Petersburg. They’ve been connected to other malware downloads as well…Casting a wider net, we looked at other domains that have been associated with Raccoon infrastructure over the past six months. The name Marina Grodovich crops up frequently in registrations of Raccoon Stealer gate domains. The name has been tied to a total of 94 domains used since September, 2020 in Raccoon Stealer attacks…Many of the second stage domains hosting payload downloads are tied to a single Gmail address that was used to register them. For example, the Raccoon demonstrated on Youtube uses aun3xk17k.space to download QuilClipper.”
Info stealers are becoming an ever-increasing component of the threat landscape. They have fast become a necessary piece of malware in conducting identity theft and other types of financial fraud. This is primarily due to the sheer amount of personal and financial information they can access stored on a victim’s machine and in particular their browser. Not only can the attacker use the data themselves, but this can also be sold off to the highest bidder on underground marketplaces.
When this is combined with the malware-as-a-service model it allows a wider scope of attackers, sometimes less skilled than the developers, to turn a profit from cybercrime. Racoon Stealer is typically offered at approximately 75 USD a month. Given that customers can then make money by stealing and selling information, hijacking crypto wallets, and using the victim’s system resources to mine cryptocurrencies the subscription fee can pay for itself.
The payday that is possible was analyzed by Sophos researchers, who noted that the actor behind the discovered campaign was able to steal,
“…approximately $13,200 US worth of cryptocurrency, and use the compute resources of victims to mine another $2,900 in cryptocurrency over a 6-month period.”
For the developer not only do they earn from the subscription fee but often they receive 10% of the customer's earnings over and above the subscription fee. Commenting further on this lucrative but illegal business model, researchers said,
“To produce this return, the actor paid Raccoon’s operators about $1200 over the period, plus $50 malware build fees—roughly 10 percent of the take—plus the cost of the dropper delivery. All of this required only basic technical skills on the part of the actor running the campaign. It’s these kinds of economics that make this type of cybercrime so attractive—and pernicious.
Multiplied over tens or hundreds of individual Raccoon actors, it generates a livelihood for Raccoon’s developers and a host of other supporting malicious service providers that allows them to continue to improve and expand their criminal offerings. And those offerings largely hit consumers—especially, as in this case, when they make use of searches for free versions of commercial software.”
As with the recent data breach impacting EA info stealers are not only the problem of the individual to deal with but major corporations as well. This fact is further driven home by the reality that many info stealers will also drop ransomware as a secondary payload. Racoon Stealer is known to drop variants of the STOP ransomware strain.
▼ Show Discussion