Threat Research

Raccoon Stealer: “Trash panda” abuses Telegram – Avast Threat Labs

Securonix

Raccoon Stealer is a multifunctional stealer that uses Telegram to store and update its C2 addresses and to receive commands. Avast Threat Labs detail its data theft capabilities, distribution methods, and global prevalence, including locale checks to avoid certain languages. #RaccoonStealer #TrashPanda #Telegram #Fortnite #Valorant #NBA2K22 #BuerLoader #GCleaner

Keypoints

  • Raccoon Stealer can steal cookies, saved logins and forms data from browsers, plus login credentials from email clients and messengers.
  • It can also exfiltrate files from crypto wallets and data from browser plugins and extensions, and it can download and execute arbitrary files via C2 commands.
  • Telegram infrastructure is used to store and update actual C2 addresses, with MAIN_KEY, Telegram Gate URLs, BotID, and TELEGRAM_KEY hardcoded in samples.
  • Distribution includes Buer Loader and GCleaner, fake game cheats, patches for cracked software (e.g., Fortnite, Valorant, NBA2K22), and samples packed with Themida or multiple packers.
  • The malware checks the system locale and won’t run if the language is Russian, Ukrainian, Belarusian, Kazakh, Kyrgyz, Armenian, Tajik, or Uzbek.
  • Prevalence is high: 25,000+ samples and 1,300+ distinct configs observed; Avast blocked nearly 600,000 Raccoon Stealer attacks, with Russia showing many blocked attempts due to locale checks.
  • From 1,300+ configs, 429 unique Telegram channels were identified, with top channels including jdiamond13, jjbadb0y, nixsmasterbaks2, hellobyegain, and h_smurf1kman_1.

MITRE Techniques

  • [T1071.001] Web Protocols – The malware uses Telegram infrastructure to store and update actual C&C addresses. ‘The Telegram infrastructure is used to store and update actual C&C addresses.’
  • [T1027] Obfuscated/Encrypted Data – C2 communications are encrypted with RC4 using MAIN_KEY and then Base64-encoded; MAIN_KEY is used to decrypt Telegram Gates URLs and BotID. ‘This key is used to decrypt Telegram Gates URLs and BotID.’
  • [T1105] Ingress Tool Transfer – It is capable of downloading and executing arbitrary files by command from its C&C. ‘download and execute arbitrary files by command from its C&C’
  • [T1041] Exfiltration Over C2 Channel – Data (e.g., PC information) is posted to C&C; the response is Base64-encoded and RC4-encrypted. ‘This data is sent using POST to the C&C, and the response is encoded with Base64 and encrypted with the MAIN_KEY.’
  • [T1082] System Information Discovery – The malware checks the default user locale and avoids running on certain languages. ‘starts checking for the default user locale set on the infected device…’

Indicators of Compromise

  • [Hash] Raccoon Stealer sample identifiers – 447c03cc63a420c07875132d35ef027adec98e7bd446cf4f7c9d45b6af40ea2b, f1cfcce14739887cc7c082d44316e955841e4559ba62415e1d2c9ed57d0c6232
  • [URL] C2 address used by Raccoon Stealer – http://91.219.236[.]18/

Read more: https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint