Raccoon Stealer has resurfaced on hacker forums with version 2.3.0 (2.3.0.1 since Aug 15, 2023), promoting new features and improvements. The update emphasizes faster search for cookies and credentials, automated bot blocking in the admin panel, and expanded data collection/exfiltration, including browser data and cryptocurrency wallet information. #RaccoonStealer #MarkSokolovsky #FBI #MalwareBazaar #SOCRadar
Keypoints
- Raccoon Stealer reappears after a six-month silence with an updated version—2.3.0 and later 2.3.0.1.
- Originally popular since 2019, it sells as a stealware-as-a-service with a subscription model (up to $275/month as of Aug 2023).
- It is capable of stealing data from 60+ applications, including credentials, credit card data, cookies, browser data, and crypto wallets.
- New features include a quick search (qFind) for cookies and passwords and an automated bot-blocking system in the admin panel.
- The malware samples reveal a chain where a VB script runs and dumps vbc.exe, which then communicates with a C2 server to exfiltrate data.
- IoCs and samples are documented with hashes, IPs, domains, and multiple DLL-related URLs for C2 and data exfiltration.
MITRE Techniques
- [T1059.005] VBScript – The sample runs a VB script and dumps another executable named “vbc[.]exe”. “This executable file runs a VB script and dumps another executable named ‘vbc[.]exe’.”
- [T1082] System Information Discovery – The malware transmits a “System Info.txt” file containing the victim system information to the C&C. “After this process, the malware first transmits a “System Info.txt” file containing the victim system information to the C&C.”
- [T1555.003] Credentials from Web Browsers – It retrieves and transmits browser credentials and cookies, e.g., “the cookies.txt file containing browser cookies to C&C” and “credentials that are registered on the browser.”
- [T1552.001] Credentials in Files – It handles autofill data and credentials stored by browsers, e.g., “autofill.txt” file and forwarded credentials to C&C.
- [T1041] Exfiltration Over C2 Channel – Data (system information, cookies, and other credentials) is transmitted to the C&C. “the malware transmits many system information such as the OS, installed applications, and the ‘cookies.txt’ file containing browser cookies to C&C.”
Indicators of Compromise
- [Hash (SHA256)] – d97e8c4b846f1743bae248137e96b7ed4c241ef71aaa2227347e71f509f0cd78
- [Hash (SHA1)] – 26490592f3d71c2aaff76760e9d6ce7daeaf8a8f
- [Hash (MD5)] – be6381dc3f83d6134c2d23f6607be2ed
- [IP] – 91[.]103[.]252[.]217
- [Domain] – raccoon.biz
- [URL] – hxxp[:]//91[.]103[.]252[.]217/
- [URL] – hxxp[:]//91[.]103[.]252[.]217/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3[.]dll
- [URL] – hxxp[:]//91[.]103[.]252[.]217/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue[.]dll
- [URL] – hxxp[:]//91[.]103[.]252[.]217/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140[.]dll
- [URL] – hxxp[:]//91[.]103[.]252[.]217/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3[.]dll
- [URL] – hxxp[:]//91[.]103[.]252[.]217/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3[.]dll
- [URL] – hxxp[:]//91[.]103[.]252[.]217/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140[.]dll
- [URL] – hxxp[:]//91[.]103[.]252[.]217/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3[.]dll
- [URL] – hxxp[:]//91[.]103[.]252[.]217/9c0376e5aaa6c118010bc6f2dffd906b
Read more: https://socradar.io/raccoon-stealer-resurfaces-with-new-enhancements/