Raccoon Stealer is Back with a New Version

MITRE Techniques

• [T1027] Obfuscated/Compressed Data – RC4/Base64 string decryption used to conceal strings; Encrypted String: “VVsEvhkqyZGsN0Qv”; RC4 Key: “edinayarossiya”; Decrypted String: “cookies.txt” – “…Encrypted String: ‘VVsEvhkqyZGsN0Qv’… RC4 Key: “edinayarossiya”… Decrypted String: “cookies.txt””
• [T1105] Ingress Tool Transfer – The stealer downloads libraries/tools from the C2 server (libs_ fields) to enable collection and operation – “Download normal library files required for collection from the C&C server by referring to the libs_ field included in the configuration information.”
• [T1071.001] Web Protocols – C2 communications occur over HTTP(S); basic device info is posted to C2 and configuration is retrieved over HTTP POST-based channels – “POST / HTTP/1.1… machineId=[MachineGuid]|[Username]&configId=[RC4 Key…]”
• [T1041] Exfiltration – Exfiltration of stolen data from the infected device to the C2 server over HTTP – “Exfiltrate stolen data from the infected device” and “POST /[token] HTTP/1.1”
• [T1562.001] Impair Defenses – Create Mutex to prevent multiple instances; this is used to avoid re-run and maintain stealth – “Duplicate execution is prevented through mutex.”
• [T1036] Masquerading – Distribution disguised as Cracked Software to evade naive defenses and users – “distributed in the same way as V1, disguised as Cracked Software”
• [T1082] System Information Discovery – Locale check to identify Russian (ru) environment, indicating region-aware logic – “Locale Name” check: It collects the “Locale Name” of the infected device and checks whether the string “ru” is included.
• [T1555.003] Credentials from Web Browsers – Data stored in the browser (credentials, cookies, autofill, etc.) and wallet/currency extensions are listed for collection – “Data stored in the browser: Credentials, Profile, Autofill, Cookies, Credit card information, etc.”