1.0 Introduction
Racoon Infostealer, also known as Mohazo and Recealer, is a malware that was first detected in April 2019. It is sold as Malware-as-a-Service (MaaS) on Dark Web forums, charging a fee of $75 per week or $200 monthly for its use. Designed as modular C/C++ binary, it targets both 32-bit and 64-bit Windows systems. Once deployed, Raccoon Stealer targets a wide range of sensitive data, including browser autofill passwords, history, cookies, credit cards, usernames, passwords, cryptocurrency wallets, and other sensitive information, it has infected hundreds of thousands of systems and is one of the most widely discussed malware tools on Dark Web forums.
In addition to targeting browser data, Racoon has custom modules that target cryptocurrency applications, password managers, email clients, and other applications. Some versions of Racoon also enable it to act as a ‘man-in-the-middle’ between the host system and the internet, stealing data transmitted through that connection.
Raccoon’s network temporarily shut down in early 2022 due to the impact of the Ukraine war on its members but returned in June 2022 with an updated version featuring upgraded infrastructure and a completely rebuilt payload. In October 2022, a member of the Ukraine-based Raccoon group was indicated by a US grand jury for conspiracy to violate the Computer Fraud and Abuse Act. This individual, 26-year-old Mark, had previously faked his death, claiming to have been killed in the Russian-Ukraine war.
2.0 Impact
Successful execution of the malware at victim’s windows allows sensitive data from web browsers, including browser autofill passwords, history, cookies, credit cards, usernames, passwords, cryptocurrency wallets, and other sensitive information. In addition, it also enable it to act as a ‘man-in-the-middle’ between the host system and the internet, stealing data transmitted through that connection.
3.0 Technical Details
When Raccoon malware infects a system, it typically proceeds by downloading necessary additional modules from the internet, often DLL dependencies critical for its proper functioning. Once these modules are obtained, the malware commences its operation of extracting sensitive data from both the system and various browsers installed on it. This stolen data is then compiled into an archive file. Subsequently, the malware sends this archive file to a Command and Control (C&C) server, usually the same server from which it received its initial instructions and updates. It’s important to note that certain versions of Raccoon malware remove themselves from the infected system after completing their tasks, while others remain dormant for potential future actions.
Figure 1: Here we can see the execution process of Raccoon.
3.1 Indicator of Compromises (IOCs)
IP ADDRESSES
- 93.115.22.159
- 93.115.22.165
- 193.222.96.7
- 94.142.138.147
- 185.193.125.199
- 194.87.31.58
- 5.78.80.43
- 5.78.81.39
- 157.90.161.111
- 89.23.107.183
HASHES
- F47935627A5BE41526BE384D115B1F291D854063D0B31BEE2C9C11DC65695438
- C5E67F5BE47902FE451EE2A40F1EB75E1653B40E0776BD97B1AD58215DC87FF7
- E5C03E8514F40A0FEE801C45271ADB0A7B9764AC8C116FE3F6209247338413B8
- 38428ED69BFA018B637002F8D4C4680A8C6765CF941449DE018971B5BFAEB179
- DB926403044468770E30A5D653FB83C5B262F91682CE6553EE32287C02753C4F
- 570C8BFBFE83183E8CF87D989D2A0BEE76DA03F0DB2061578629D3939A4A42F7
- A7DE3F00DFB9BA786EB5C6358692A605465AA2CA1B3C25E46C31F33A7FDAA6B4
- 3EC6D65B79EF30A3D313BAFACE3328DE59264D68A43FC67F183D6F27680D89BF
- 21DF0FF4710AB3EA44A1950745F9C71F3098BCE46C5B0A7E86BA2777810AE855
- 3FD8BD0DB5FE95FF75E988A57E3BE798B24CBF538F96AAEFBF53CE6AFA2C73A0
- 0FE9A62C38022F4904B600A0B7E8329AB2ACDEB54193E03A6502B2ADE27A8F9A
- 8611A15B54E87872C3CDCAF8AE2B8B972FFAFF5641132BB0FC205E555DBAACD0
- 078DF4C79D3E962BB61BF86CB8CB4C93C99FF66F5CFDB86C97E08172C86907C2
- 802FD11DB464F889F4D17C37C9F023486EC48967DF5880628ECFD239F6F7FDFB
- 5320425988B0670455042DBD99D0C30B96DDF4710932DBE61B95711B185536B6
- 5F7952675382F4EAB492FA445398AD1A100056762F4B2CE9A9B805FEF0EA086B
- ADA6C456A582FC0897AD282BD5728950181618A625CAD84CED1189B70326517C
- 4779DC9604EDF78283C8678F2CE449705B85D1BC3975DB3B02AB9075726B46E9
- CF959B4F5E8DBD5B8C13BCA917931C6B02ACE3CC3835F6F1D88405095C69E393
- A37F9E2D72DE9F114DDAB656017F90C4196082D20DA3BA068A777EB0A1281B76
DOMAINS
- mehranschool.org
URLs
- http://45.153.231.163:80/
- http://193.142.147.59:80/
- http://51.195.166.184/
- http://95.169.205.186:80/
- http://5.181.159.42:80/
- http://45.14.244.72:80/
- http://82.146.45.177:80/
- http://195.20.16.155:80/
- http://192.227.94.170:80/
- http://89.238.170.230:80/
- http://91.107.239.231:80/
- http://46.151.31.26:80/
- http://193.233.132.204:80/
- http://45.153.230.5/
- http://5.252.23.112/
- http://94.131.106.24:80/
- http://195.20.16.127:80/
- http://195.2.81.45:80/
- http://193.222.96.7:8787/
- http://41.216.183.87:80/
3.2 MODUS OPERANDI - WEBSITE DISTRIBUTION
The modus operandi of the Raccoon stealer is to attack through various channels like phishing emails, exploit kits, or malicious ads. Once activated on victim’s system, it typically downloads essential DLL modules from the internet to bolster its capabilities and evade detection. The malware’s primary goal is data theft; it meticulously collects sensitive information from browsers (including passwords, cookies, and browser history), credentials stored in email and FTP clients, and cryptocurrency wallet data. This trove of stolen data is organized into an archive file on the infected system. Subsequently, Raccoon Stealer establishes communication with a Command and Control (C&C) server, often the same server it received initial instructions from, using HTTP or HTTPS protocols. This server acts as a central hub for receiving stolen data and issuing commands, ensuring ongoing control over compromised systems. Raccoon Stealer may modify system settings, create schedule tasks, or install itself as a service to maintain persistence. Some variants of the malware self-delete post-task completion to evade detection, while others remain active for prolonged data exfiltration or further malicious activities.
4.0 Recommendations
Internet users must be vigilant of the risks of downloading and operating files from unknown sources.
- Users must always refer to the respective vendor websites to download applications provided by the respective vendors.
- Users should be wary and suspicious of applications circulated on social media for downloads.
- Users must not simply click on any links or executables they receive via social media and other messaging applications.
- Enable and use up-to-date anti-virus software to detect and remove malicious files before they can cause any damage.
- Do regular security updates and patches.
- Contact relevant authorities such as CyberSecurity Malaysia for inquiries and assistance related to cyber threats or suspicious activities users observe online.
- Users are also encouraged to report to the Service Providers or the social media platform concerning the circulation of posts or ads with suspicious links.
Generally, CyberSecurity Malaysia advises users to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, don't hesitate to get in touch with the Cyber999 Incident Response Centre through the following channels:
E-mail:
cyber999@cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web:
https://www.mycert.org.my
5.0 References