Zscaler to Expand Zero Trust Exchange Platform's AI Cloud with Data Fabric Purpose-built for Security

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Raccoon Stealer v2: The Latest Generation of the Raccoon Family

image

Introduction

Raccoon is a malware family that has been sold as malware-as-a-service on underground forums since early 2019. In early July 2022, a new variant of this malware was released. The new variant, popularly known as Raccoon Stealer v2, is written in C unlike previous versions which were mainly written in C++.

The Raccoon Malware is a robust stealer that allows stealing of data such as passwords, cookies, and autofill data from browsers. Raccoon stealers also support theft from all cryptocurrency wallets.

In this blog, ThreatLabz will analyze Raccoon Stealer v2 in the exe format, and highlight key differences from its predecessors. The authors of the Raccoon Stealer malware have announced that other formats are available, including DLLs and embedded in other PE files.

 

Detailed Analysis

Raccoon v2 is an information stealing malware that was first seen on 2022-07-03. The malware is written in C and assembly.

Though we noticed a few new features in the newer variant as mentioned below, the data stealing mechanism is still the same as is seen in its predecessor:

  1. Base64 + RC4 encryption scheme for all string literals
  2. Dynamic Loading Of WinAPI Functions
  3. Discarded the dependence on Telegram API

We have noticed a significant change in the way list of command and control servers is obtained. The Raccoon Malware v1 was seen abusing the Telegram network to fetch the list of command and control servers, whereas the newer variant has abandoned the use of Telegram. Instead, they use a hardcoded IP address of a threat-actor-controlled server to fetch the list of command and control servers from where the next stage payload (mostly DLLs) is downloaded.

 

File Information

  • Malware Name: Raccoon Stealer v2
  • Language: C
  • File Type: exe
  • File Size: 56832
  • MD5:  0cfa58846e43dd67b6d9f29e97f6c53e
  • SHA1:  19d9fbfd9b23d4bd435746a524443f1a962d42fa
  • SHA256: 022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03

 

Debug Information

The analyzed file has debug data intact. According to the Debug headers compilation date was Thursday, 26/05/2022 13:58:25 UTC as shown in Figure 1.

Image

Figure 1: Raccoon v2 Debug Headers

We have also seen a change in how Raccoon Stealer v2 hides its intentions by using a mechanism where API names are dynamically resolved rather than being loaded statically. The stealer uses LoadLibraryW and GetProcAddress to resolve each of the necessary functions (shown in Figure 2). The names of the DLLs and WinAPI functions are stored in the binary as clear text.

Image

Figure 2: Raccoon v2 dynamic resolution

List Of Loaded DLLs

  1. kernel32.dll
  2. Shlwapi.dll
  3. Ole32.dll
  4. WinInet.dll
  5. Advapi32.dll
  6. User32.dll
  7. Crypt32.dll
  8. Shell32.dll

Raccoon v1 did not employ dynamic resolution for used functions, therefore packed samples were often observed in the wild to evade detection mechanisms. Conversely, Raccoon v2 is often delivered unpacked. Figure 3 shows the imported DLLs for raccoon v1.

 

Image

Figure 3: Raccoon Stealer v1 imports (unpacked)

Once resolution of functions is done, the stealer will run its string decryption routine. The routine is simple. RC4 encrypted strings are stored in the sample with base64 encoding. The sample first decodes the base64 encoding and then decrypts the encrypted string with the key ‘edinayarossiya’. This routine is followed for all the strings in function string_decryption(). The 'string_decryption' routine is shown in Figure 4.

Image

Figure 4: Raccoon v2 String Decryption Routine

Previous versions of Raccoon Stealer did not encrypt string literals other than hard coded IP addresses. The Raccoon v2 variant overcomes this by encrypting all the plain text strings. Several of the plaintext strings of Raccoon v1 are shown in Figure 5.

Image

Figure 5: Plaintext Strings In Raccoon v1

 

After manual decryption of the Raccoon v1 sample strings, the following (Figure 6 and Figure 7) strings were obtained in plaintext format.

Image

Figure 6: Raccoon v2 Decrypted Strings

Image

Figure 7: Raccoon v2 Decrypted Strings

The command and control IP addresses are saved in the malware and follow the same decryption routine but have a different key, 59c9737264c0b3209d9193b8ded6c127. The IP address contacted by the malware is ‘hxxp://51(.)195(.)166(.)184/’. The decryption routine is shown in Figure 8.

Image

Figure 8: IP Address Decryption Raccoon v2

 

 

Decrypting Command and Control IP Address

The encrypted command and control IP Address can be easily decrypted by using public tools such CyberChef as shown in Figure 9.

Image

Figure 9: Raccoon v2 IP Address (via cyberchef utils)

This technique is common between both versions of the malware. Figure 10 shows the same routine employed in Raccoon v1.

 

Image

Figure 10: Raccoon v1 setting up overhead before IP Address decryption

Once all the overhead of setting up the functions and decryption of the strings is done, the malware will perform some checks before contacting the command and control server to download malicious DLLs and exfiltrate information.

 

Overhead Before Exfiltration

Before executing the core of the malware, certain checks are made to understand the execution environment. This includes making sure the malware isn't already running on the machine. Further the malware also checks if it's running as NT Authority/System.

The malware gets a handle on mutex and checks if it matches a particular value or not. If it matches, the malware continues execution.

Value: 8724643052.

This technique is used to make sure only one instance of malware is running at one time. Figure 11 depicts the Mutex check and creation for Raccoon v2, while Figure 12 depicts the similar procedure used in Raccoon v1.

Image

Figure 11: Raccoon v2 Mutex Check

 

Image

Figure 12: Raccoon v1 Mutex Check

 

By retrieving the Process token and matching the text "S-1-5-18," as shown in Figure 13, the malware determines if it is or is not operating as the SYSTEM user.

Image

Figure 13: Raccoon v2 Enumerating Process Token

 

If running as a SYSTEM user, the enumeration of all the running processes is done with the help of fun_CreateToolhelp32Snapshot. Otherwise, the malware moves forward without the enumeration. Figure 14 shows the 'enumerate_processes()' function being called while Figure 15 shows the malware iterating over the Processes.

Image

Figure 14: Raccoon v2 Enumerate Process

 

Image

Figure 15: Raccoon v2 Iterating Process Struct

 

 

Fingerprinting Host

Once the malware is aware of the environment in which it's running, it starts to fingerprint the host. This malware uses functions such as:

  1. RegQueryValueExW for fetching machine ID
  2. GetUserNameW

Figure 16 depicts the malware retrieving the Machine ID from the registry key "SOFTWAREMicrosoftCryptography" via the RegQueryKeyExW and RegQueryValueExW functions. Figure 17 depicts malware using the GetUserNameW function to retrieve a username.

Image

Figure 16: Raccoon v2 Fetching MachineID

Image

Figure 17: Raccoon v2 Fetching Username

 

Image

Figure 18: Raccoon v2: Username Buffer

 

After all this is done, the malware will enumerate information such as MACHINE ID and username and then send the data to the remote command and control server.

For this purpose, the malware creates a char string and starts appending these values to it. It starts by adding machine id and username. Figure 19 shows the built payload in buffer.

Image

Figure 19: Raccoon v2: Fingerprinting Payload

 

Next, it generates and appends configId which is the rc4 encryption key.

machineId=<MachineGuid>|<UserName>&configId=<RC4 key>

 

Communications with Command and Control

Communication with command and control takes place over plain text http protocol. The previously decrypted IP address hxxp://51(.)195(.)166(.)184/ is used for command and control communication.

The malware contacts the list of previously decrypted command and control IP addresses (stored in local_3c). Since this malware only contains one command and control IP Address, the post request is only made to one as seen in Figure 20.

Image

Figure 20: Raccoon v2: Command and Control communication

 

Command and Control URL

Image

Figure 21: Raccoon v2 URL in buffer

 

Request Headers

Image

Figure 22: Raccoon v2 Request Headers

 

Once the request has been made, the malware checks if the content body length is zero or not. If no content is received from command and control or the content body length is zero, the malware exits. This check is made because the exfiltration mechanism of the malware requires command and control to respond with a list IP Addresses to exfiltrate data to. In Figure 23, this condition can be seen along with the 'ExitProcess()'  function call.

Image

Figure 23: Raccoon v2 Verifying Response Content

 

Discarded the dependence on Telegram bot

The Raccoon v1 relied on the Telegram Bot API description page to fetch command and control IP addresses and establish connections. The recent malware variants (v2) from this family have started to hard-code IP addresses in the binary to achieve this task. Raccoon Malware v2 uses 5 hard coded IP addresses and iterates over them.

 

Data Exfiltration

The malware relies on response from command and control server to down the required DLLs and decides on the next course of action.

As of the writing of this blog the command and control IP has died, thus analysis of traffic towards the host is not possible. ThreatLabz has previously observed that the command and control server provides information on where to download additional payloads from and which IP Address to use for further communications.

 

Image

Figure 24: Raccoon v2 pinging extracted IP Address

 

Grepped DLLs

Image

Figure 25: Raccoon v2 DLLs that are downloaded

 

The malware uses a WINAPI call to SHGetFolderPathW to get a path to C:\Users\<User>\AppData and appends “Local” to it and uses it as the path to store stolen information before sending it to the command and control.

 

Image

Figure 26: Raccoon v2 Storage Path In Buffer

 

Indicators Of Compromise

IP contacted by the analyzed sample of Raccoon v2.

55(.)195(.)166(.)184

List Of Other IPs that act as an C2 for other samples can be found here.

Downloaded DLLs

  1. nss3.dll
  2. sqlite3.dll
  3. GdiPlus.dll
  4. Gdi32.dll

Path Used By the Malware

  1. C:\Users\<USERNAME>\AppData\Local

Other samples observed in the wild of Raccoon v2.

  1. 0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909
  2. 022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03
  3. 048c0113233ddc1250c269c74c9c9b8e9ad3e4dae3533ff0412d02b06bdf4059
  4. 0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256
  5. 2106b6f94cebb55b1d55eb4b91fa83aef051c8866c54bb75ea4fd304711c4dfc
  6. 263c18c86071d085c69f2096460c6b418ae414d3ea92c0c2e75ef7cb47bbe693
  7. 27e02b973771d43531c97eb5d3fb662f9247e85c4135fe4c030587a8dea72577
  8. 2911be45ad496dd1945f95c47b7f7738ad03849329fcec9c464dfaeb5081f67e
  9. 47f3c8bf3329c2ef862cf12567849555b17b930c8d7c0d571f4e112dae1453b1
  10. 516c81438ac269de2b632fb1c59f4e36c3d714e0929a969ec971430d2d63ac4e
  11. 5d66919291b68ab8563deedf8d5575fd91460d1adfbd12dba292262a764a5c99
  12. 62049575053b432e93b176da7afcbe49387111b3a3d927b06c5b251ea82e5975
  13. 7299026b22e61b0f9765eb63e42253f7e5d6ec4657008ea60aad220bbc7e2269
  14. 7322fbc16e20a7ef2a3188638014a053c6948d9e34ecd42cb9771bdcd0f82db0
  15. 960ce3cc26c8313b0fe41197e2aff5533f5f3efb1ba2970190779bc9a07bea63
  16. 99f510990f240215e24ef4dd1d22d485bf8c79f8ef3e963c4787a8eb6bf0b9ac
  17. 9ee50e94a731872a74f47780317850ae2b9fae9d6c53a957ed7187173feb4f42
  18. bd8c1068561d366831e5712c2d58aecb21e2dbc2ae7c76102da6b00ea15e259e
  19. c6e669806594be6ab9b46434f196a61418484ba1eda3496789840bec0dff119a
  20. e309a7a942d390801e8fedc129c6e3c34e44aae3d1aced1d723bc531730b08f5
  21. f7b1aaae018d5287444990606fc43a0f2deb4ac0c7b2712cc28331781d43ae27

 

Conclusion

Raccoon Stealer sold as Malware-as-a-Service has become popular over the past few years, and several incidents of this malware have been observed. The Authors of this malware are constantly adding new features to this family of malware. This is the second major release of the malware after the first release in 2019. This shows that the malware is likely to evolve and remain a constant threat to organizations.

 

Zscaler coverage

We have ensured coverage for the payloads seen in these attacks via advanced threat signatures as well as our advanced cloud sandbox.

 

Image

Figure 27: Zscaler Sandbox Detection

 

Zscaler's multilayered cloud security platform detects indicators at various levels, as shown below:

Win32.PWS.Raccoon

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.