RecordBreaker is a 2022 Infostealer linked to Raccoon Stealer that commonly disguises itself as a software crack or installer. ASEC confirms its distribution via a hacked YouTube account with download links leading to malware, which then steals data and can install additional payloads such as a CoinMiner. #RecordBreaker #YouTube #MediaFire #CoinMiner #RaccoonStealer
Keypoints
- RecordBreaker is an Infostealer that appeared in 2022 and is seen as the new version of Raccoon Stealer, often posing as cracks or installers.
- A threat actor distributed RecordBreaker via a hacked YouTube account that had over 100k subscribers, implying account compromise rather than creation of a new channel.
- Earlier malware campaigns have distributed through search engines and YouTube, including RedLine and BlackGuard Infostealer campaigns.
- The campaign uses YouTube video descriptions and comments to link to MediaFire, where a password-protected compressed file hides the malware.
- Decompression yields a large Launcher_S0FT-2O23.exe that contacts a C2 server to obtain DLLs and configuration for data theft.
- RecordBreaker collects system information, installed programs, browser credentials, and screenshots, and can download/install additional payloads, including a CoinMiner (vdcs.exe).
MITRE Techniques
- [T1078] Valid Accounts – The threat actor hijacked a YouTube account (over 120k subscribers) and used it to upload malware to distribute RecordBreaker. “the account currently has more than 120,000 subscribers… threat actor had stolen the YouTuber’s account before using it to upload malware.”
- [T1036] Masquerading – RecordBreaker disguises itself as a software crack or installer. “disguises itself as a software crack or installer.”
- [T1204.002] User Execution – Clicking links in the YouTube video leads to a MediaFire page where users download a password-protected malware archive. “Clicking on the links in the YouTube videos lead to a MediaFire download page, where users can download a compressed file that has malware inside of it.”
- [T1027.001] Encrypted/Compressed Files and Information – The downloaded compressed file is encrypted with a password. “the downloaded compressed file is encrypted with a password.”
- [T1105] Ingress Tool Transfer – The malware downloads DLLs and later payloads from URLs provided by the C2 for information theft. “URLs that will be used to download specific DLL files that are necessary for stealing information.”
- [T1082] System Information Discovery – RecordBreaker collects basic system information as part of its data gathering. “collects and steals various information saved on a system, such as basic system information…”
- [T1555.003] Credentials from Web Browsers – It steals account credentials saved on a browser. “account credentials saved on a browser.”
- [T1518] Software Discovery – It retrieves a list of installed programs on the infected system. “a list of installed programs.”
- [T1005] Data from Local System – It collects data from the local system (screenshots, etc.). “basic system information, a list of installed programs, screenshots…”
- [T1041] Exfiltration Over C2 Channel – The machineId is sent to the C2 and configId is received back for further actions. “sends the ‘configId’ value that is hard-coded into the malware to the C&C server.”
- [T1496] Resource Hijacking – It installs a CoinMiner to mine cryptocurrency on the compromised machine. “install a CoinMiner using a malware file named “vdcs.exe”.”
Indicators of Compromise
- [MD5] context – 1cc87e637e55a2e6a88c745855423045, 116857ca1574a5a36da3bb0ddff32eac, and 1 more hash (803a1f3e984a9eaa56ac74a203096959)
- [URL] context – https://www.mediafire[.]com/file/0u0tldiluood47v/2O23-F1LES-S0ft.rar, https://github[.]com/jesus061031r/mooliik/releases/download/mooliik/GUI_MODERNISTA.exe
- [IP] context – 212.113.119.153
- [Domain] context – mediafire.com, github.com
- [FileName] context – Launcher_S0FT-2O23.exe, GUI_MODERNISTA.exe, and 1 more (vdsds.exe)
- [C2 URL] context – http://212.113.119[.]153/ (RecordBreaker)
Read more: https://asec.ahnlab.com/en/52072/