Raccoon hackers spread malware by using Google search engine

The criminals behind the Raccoon Stealer platform have updated their service to include tools for stealing cryptocurrency from targeted computers, as well as remote access capabilities for dropping malware and stealing files.

The users of this service platform are usually rookie hackers, and the platform can provide the service of stealing the passwords and authentication cookies stored by the browser. According to research published by Sophos Labs on Tuesday, the platform has now released a number of important feature updates, including new attack tools and distribution networks, while also improving the success rate of targeted attacks.

First, Raccoon Stealer has moved from an inbox-based infection to one that spreads using Google searches. According to Sophos, attackers have now been able to skillfully optimize malicious web pages to rank high in Google search results. In this campaign, the bait to lure victims is pirated software tools, such as programs used to “crack” genuine premium software for use, or activation programs used to generate registration keys to unlock genuine software.

Yusuf Polat and Sean Gallagher, senior threat researchers at Sophos, wrote: “While these sites claim to be a legitimate software site, the file offering the download is actually a dropper in disguise. Clicking on the download link will connect you to a website hosted on Amazon.com JavaScripts redirectors on web services that divert victims to multiple different download locations, offering different versions of the dropper for download.”

Raccoon updated with new attack methods

Unlike other malware that steals information from individuals through inboxes, Raccoon Stealer’s attack method has been traced by Sophos and found that the attack was spread through malicious websites.

The deceived victim downloads a document containing a payload, the researchers said. The archive contains another password-protected document and a text file containing passwords, which are used later in the infection chain. Documents containing executable files are password-protected so that they can evade malware scanning.

This executable provides a self-extracting installer. They have signatures associated with self-extracting archives from tools like 7zip or Winzip SFX, but cannot be decompressed by these tools. “The signature is either forged or the header of the file has been processed by the dropper, preventing unpacking without executing the file,” Sophos argued.

Malware delivered to victims may include cryptocurrency mining tools, “Clippers” (malware that steals cryptocurrency by modifying victims’ system clipboards and changing target wallets during transactions), malicious browsing, Sophos said. extension, Djvu/Stop (a ransomware mainly targeting home users).

Infrastructure used by thieves

As for how to manage the infected system, Sophos said the attackers used the secure messaging platform Telegram and further obfuscated communications using the RC4 encryption key.

Using a hardcoded RC4 key, Raccoon decrypts the information in the channel, which contains a command and control (C2) address. “This process is not straightforward to perform decryption, the resulting string is stripped at the beginning and end of the channel description, and the code then decrypts the text with RC4 to obtain the address of C2,” they wrote.

Criminals use the tool to conduct blanket searches and steal valuable files, from browser-based data to cryptocurrency wallets, using C2. At the same time, this C2 was also used to download a SilentXMRMiner tool written in Visual Basic .NET, which was also obfuscated with Crypto Obfuscato at runtime.

According to Sophos, the second-level payload delivered by Raccoon Stealer includes 18 malware samples since October 2020. The most recent is a malware called QuilClipper that targets cryptocurrency exchanges.

“When analyzing .Net loader and clipper-like samples on Virustotal, we found that many of the samples were hosted on bbhmnn778,” the researchers wrote.[.fun]on the domain name. After investigating related files and searching for their filenames, we found a YouTube channel promoting Raccoon Stealer and QuilClipper. “

Raccoon’s Attack Features

A study of the Raccoon Stealer infrastructure revealed that the domain name xsph[.]There are 60 subdomains under ru, 21 of which have been active recently, and the domain name was discovered through Russian hosting provider SprintHost[.]ru register.

Polat and Gallagher wrote: “This Raccoon Stealer campaign demonstrates that criminal activity has now become very specialized. Threat actors are increasingly using paid services, such as dropper-as-a-service, to deploy Raccoon and malicious actors, they say. Software hosting platform.

According to Sophos estimates, the criminals behind this Raccoon attack deployed malware, stole cookies and credentials, and sold those stolen credentials on criminal markets, stealing approximately $13,200 worth of cryptocurrency and exploiting victims’ computing resources To mine $2,900 in cryptocurrency in six months, the criminal enterprise has an estimated cost of $1,250 to run.

The Links:   PM20CEF060-5 G121XCEL01

Bookmark the permalink.

Comments are closed.