Threat Research

Raccoon Infostealer Malware Returns with New TTPS – Detection & Response – Security Investigation

Securonix

Raccoon is an info-stealer malware offered as malware-as-a-service since 2019, capable of stealing passwords, cookies, autofill data, and cryptocurrency wallet data from browsers. The campaign uses phishing campaigns and trusted Windows components to drop, execute, and fetch additional DLLs from a C2, then exfiltrates data via HTTP POST. #Raccoon #RaccoonMalware #InformacinesSistemosirTechnologijosUAB #JSC_Digital_Network

Keypoints

  • Raccoon has operated as a malware-as-a-service since early 2019 and has infected over 100,000 devices.
  • It steals browser data (passwords, cookies, autofill) and supports theft from cryptocurrency wallets.
  • Infection commonly occurs through phishing campaigns or exploit kits.
  • The malware drops a binary into AppDataLocalTemp and uses RegSvcs.exe (a signed Windows component) to execute.
  • RegSvcs.exe downloads a second-stage DLL (nss3.dll) from the C2 to the temp folder, along with other DLLs (e.g., mozglue.dll) in AppDataLocalLow.
  • Data exfiltration uses HTTP POST to attacker IPs, with multiple IOCs including IPs and file hashes.
  • Detection and response guidance is provided via SIEM queries for multiple platforms to catch RegSvcs.exe activity in temp/low DLL paths.

MITRE Techniques

  • [T1566.001] Phishing – The malware is often distributed via phishing campaigns or exploit kits. Quote: ‘Raccoons are often infected through phishing campaigns or exploit kits.’
  • [T1105] Ingress Tool Transfer – Regsvcs.exe is used to fetch a second-stage DLL from the C2. Quote: ‘Regsvcs.exe connects to CnC and downloads another malicious DLL http://85[.]192.63.46/…/nss3.dll and file downloaded to temp directory “C:UsersBalaganeshAppDataLocalLownss3.dll”’
  • [T1218.005] Signed Binary Proxy Execution – Uses RegSvcs.exe (a legitimate Microsoft .NET Framework component) to execute the dropper. Quote: ‘RegSvcs.exe… genuine software component of Microsoft .NET Framework by Microsoft, which is located at C:WindowsMicrosoft.NETFrameworkv4.0.30319RegSvcs.exe’
  • [T1555.003] Credentials from Web Browsers – Steals data from browsers (passwords, cookies, autofill). Quote: ‘Downloaded Dropper “nss3.dll” allows stealing of data such as passwords, cookies, and autofill data from browsers.’
  • [T1041] Exfiltration Over Unencrypted/Non-C2 Channel – Data is exfiltrated via HTTP POST to attacker IPs. Quote: ‘HTTP post method is used and stolen data is sent to attackers’ IP addresses.’

Indicators of Compromise

  • [IP] C2 / Exfiltration – 85.192.63.46, 88.119.170.241 – Used for command and control and data exfiltration.
  • [File hash] 51c33c00a3823180a7b39ab838542d9d, 7a1618c1616dae2aa4402b2f9f0febc7 – Hashes associated with the dropper/payload.
  • [File hash] 1de2a5e94f070e9d6e8d70fe63e87175, c8f9b86af75c8cb9f973683dbee27f93 – Additional payload hashes observed.
  • [File hash] 704cb6b7d8863165857bca2c33283fa0, e490eacd7d52073891790cd3411a1221 – More related artifacts.
  • [File name] ecc322f22da7cee63fb2ee0bfd5df59c.exe – Malicious binary dropped in AppDataLocalTemp.
  • [File name] mozglue.dll – DLL dropped in AppDataLocalLow; may contain Bitcoin addresses.

Read more: https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/