Two sentences: The ASEC analysis covers a new info-stealer distribution campaign branded as “Recordbreaker Stealer,” which began in earnest around May 20 and is spread by disguising itself as software cracks/installers. It may be a new version of Raccoon Stealer, downloading libraries from C2, stealing wallet/browser data, and installing ClipBanker for persistence. #RecordbreakerStealer #RaccoonStealer #ClipBanker #CryptBot #AhnLab #MetaMask #Ronin #Binance #MyMonero
Keypoints
- The campaign centers on a new infostealer called Recordbreaker Stealer, active since May 20 and seen by some analyses as a new version of Raccoon Stealer.
- Distribution relies on users downloading cracks/installers from untrusted sites, with the file padded to appear unusually large (3–7 MB download vs. 300–700 MB decompressed).
- Malware icons imitate installer images or popular software to entice downloads, sometimes using standard packing methods via dropper or downloader.
- On execution, the malware fetches additional libraries from the C2 to collect sensitive information and exfiltrate it back to the C2, with the C2 settings controlling what is stolen.
- Initial C2 communication includes sending user name, MachineGUID, and hard-coded keys; the C2 then responds with target data and library download URLs.
- ClipBanker is deployed from the C2 settings, registered in Task Scheduler for persistence, and can alter clipboard wallet addresses; CryptBot remains active in distribution.
MITRE Techniques
- [T1036] Masquerading – The malware icons use installer images or those of popular software. – “The icons use installer images or those of popular software.”
- [T1105] Ingress Tool Transfer – It downloads additional libraries from the C2 to enable data collection. – “downloads additional libraries depending on the command from C2 (settings value) to collect various sensitive information from the user PC and send it back to C2.”
- [T1082] System Information Discovery – The sample steals basic system information, installed programs, screenshots, browser data, and cryptocurrency wallet information. – “The sample steals basic system information, the list of installed programs, screenshots, data saved in browsers, and various cryptocurrency wallet information.”
- [T1041] Exfiltration Over C2 Channel – Stolen data is sent back to the C2 during operation. – “send it back to C2.”
- [T1053.005] Scheduled Task – ClipBanker is registered to the Task Scheduler, indicating persistence. – “ClipBanker registered to task scheduler”
- [T1027] Obfuscated/Compressed Files and Information – The distribution uses abnormally large files with substantial padding. – “distributed in an abnormally large size with a huge amount of padding added.”
Indicators of Compromise
- [File Hash] Sample hashes – 332790b27d3492dbcfb053213be95aa6, 2d355ad6f26126ab10939bc68818df20
- [Domain] C2/distribution domains – brain-lover.xyz, load-brain.xyz
- [IP Address] Sample C2/IPs – 194.180.174.180, 94.158.244.213
- [Wallet Address] Cryptocurrency wallet targets – BTC: 19iQuuqoVQPAtRhzm4GvNuM3bj4Nm29ByX, ETH: 0xF22ffD5be6efc35390dfD044B7156CC56C5d41f8
- [Wallet Address] Additional wallets listed – DASH: Xb2miQJ1JjBJA6CTh1GYfDnzduSfRacTVg, LTC: LUYBs28KD92zYYjG28gWq9GFvvsWE6KoeN
- [File Name] Screenshot reference – Screenshot.jpeg:1
Read more: https://asec.ahnlab.com/en/35981/