SEKOIA.IO exposes a large, resilient infrastructure distributing Raccoon and Vidar information stealers via a multi-stage infection chain built on SEO-poisoned cracked-software websites and hundreds of domains. The operation relies on social engineering, redirection chains, and robust defense-evasion techniques hosted on GitHub accounts, underscoring the risks of downloading cracked software. #RaccoonStealer #VidarStealer #SEKOIAIO #GitHub #CrackedSoftware #TrafficDistributionSystem
Keypoints
- SEKOIA.IO identified a large, stealthy infrastructure distributing Raccoon and Vidar stealers since at least 2020, spanning over 250 domains.
- The infection chain hinges on social engineering to push fake cracked software via SEO-poisoned websites and deceptive tutorials.
- The distribution employs a multi-stage redirection chain that culminates in a final payload hosted on GitHub.
- More than 120 payload samples (70 Vidar, 54 Raccoon) were observed, hosted across 20 GitHub accounts and multiple botnets.
- Payloads use extensive defense-evasion techniques (packing with Themida/VMProtect/Eziriz .NET Reactor, sandbox/time evasion, and anti-analysis tricks).
- SEKOIA.IO maps multiple MITRE ATT&CK techniques to this activity, illustrating a broad, targeted infrastructure operation rather than a wide Pay-Per-Install campaign.
MITRE Techniques
- [T1583.001] Acquire Infrastructure: Domains – “infrastructure of over 250 domains” used to distribute the stealer builds.
- [T1583.004] Acquire Infrastructure: Server – “infrastructure of over 250 domains” includes hosting on multiple servers.
- [T1588.001] Obtain Capabilities: Malware – “distribute Raccoon and Vidar stealers” as end payloads.
- [T1588.002] Obtain Capabilities: Tool – “payload packed with Themida, VMProtect, Eziriz’s .NET Reactor” used to obfuscate and protect payloads.
- [T1608.006] Stage Capabilities: SEO Poisoning – infrastructure relies on SEO-poisoned cracked software distribution.
- [T1204.002] User Execution: Malicious File – victims download and run the malicious installers after following tutorials.
- [T1027] Obfuscated Files or Information – packed and encrypted payloads; password-protected archives and large padded executables to evade analysis.
- [T1036] Masquerading – hosting payloads on legitimate platforms (GitHub, file shares) with credible naming patterns.
- [T1497.003] Virtualization/Sandbox Evasion: Time Based Evasion – time-based evasion techniques complicate sandbox analysis.
- [T1562.001] Impair Defenses: Disable or Modify Tools – tutorials describe disabling antivirus software to enable payload execution.
- [T1622] Debugger Evasion – defenses include evasion against debugging tools during analysis.
- [T1102] Web Service – C2 communications and payload delivery leverage web services for command and control.
Indicators of Compromise
- [Domain] infection/distribution domains – crackist[.]com, offsebike[.]cyou, and 2 more domains (SEO poisoned websites)
- [IP Address] stage 3 redirect addresses – 157.230.87[.]146, 162.243.164[.]175
- [Hash] payload samples – cda1504b1d4004c8bf3b90b9035ebeb8, 46832d82bc25c7363f32b3473872936e97cfe990
- [Filename] final payload archives – NewInstaller_1234_FullVersion_B4.rar, Setup.exe