Home
Threat Intelligence Posts
Malware Intelligence

Raccoon Stealer Malware Threat Intel Advisory

Raccoon Stealer that appeared in 2019 for the first time is still an ongoing threat, and targets users’ sensitive data including login credentials.
Updated on
April 19, 2023
Published on
May 10, 2021
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Advisory Type
 Malware Intelligence
Malware Name
 Raccoon
Malware Aliases 
 Mohazo, RaccoonStealer, Racealer
Malware Type
 Infostealer
Affected OS
 Windows
 

Executive Summary

Raccoon Stealer is a MaaS (Malware as a Service) that appeared in 2019 for the first time and is still an ongoing threat. Raccoon is advertised widely on hacking forums for a cheap price which makes it easily accessible for a lot of threat actors. Raccoon stealers mainly target users’ sensitive data including login credentials, credit card information, cryptocurrency wallets, and browser information including cookies, history and autofill. Raccoon stealer operators deliver their malware through malicious documents attached to phishing emails or through exploit kits used for malvertising.

Technical Details

The operators of the Raccoon stealer abuse ad networks, adding sneaky redirects to malicious pages. These pages are laced with exploit kits which then download the malware. Threat actors may also leverage malicious files attached to phishing emails, embedded with macros. This, in turn, downloads and executes the malware. Once the Raccoon stealer is injected into the system it targets all the applications that contain credentials. It dumps the credentials in a zip file and sends the zip file back to the C2 server of the attacker. CloudSEK Threat Intel Researchers have discovered an ongoing Raccoon stealer campaign on underground dark web forums. Threat actors are seen advertising and selling data stolen with the help of this malware. Raccoon Stealer pic

Impact

Technical Impact
The malware is capable of:
  • Identifying applications including web browsers that use credentials. It dumps user sensitive data from these applications.
  • Sending stolen data back to the attacker’s C2 server.
  • Steal login credentials leading to other forms of targeted attacks.
Business Impact
  • It steals victims’ sensitive data including financial credentials
  • Privacy violation

Mitigation

  • Install the latest security patches and updates.
  • Use the latest AV, prevention and detection software.
  • Activate 2FA on personal/ business user accounts.
  • Avoid clicking on ads hosted on web pages.
  • Raise awareness against phishing campaigns.
 

Tactics, Techniques, and Procedures

Tactics
Techniques
Execution
 T1059 Command and Scripting Interpreter
T1129 Shared Modules
T1204 User Execution
Defense Evasion
 T1070.004 File Deletion
T1218.011 Rundll32
T1553.004 Install Root Certificate
Credential Access
 T1003 OS Credential Dumping
T1552.001 Credentials In Files
Collection
 T1114 Email Collection
 

Indicators of Compromise

IP
 81.2.253.71 82.118.22.118
172.67.158.196 80.92.206.44
45.128.184.198 74.119.195.101
35.224.232.32 185.212.131.90
185.102.136.27 185.212.131.90
176.103.59.173 195.54.33.200
185.183.162.147 66.248.206.71
104.21.66.99 185.234.247.219
35.246.139.134 74.119.195.168
35.228.60.103 74.119.195.166
Hashes
 546352389C393711D61EAB54E5D32B1BDD39C194FAE82249B8A3F721A45B452C
5A2F2C14AE6FF0C58E2C7B04B53BAA83801B069479AF2E5605A012A110883742
0A7DAC9478C1DBFE7A2A5345DC63F5ACC0FF956267FAA2FB3B6E93AA2F997709
46C0FCED58C4190739FDB56A3914BCC7B8BF9A2FD8A1AD480FFFA4D05C5A620D
2D552CAC3366827F794ADB7C3FA2EBA9CF57F070521FF1C4617FECD392CC323C
2674B15B19357C51AFAC8B261DF00D8AFBFD2900CD5B85BFDA6BFE19CA5940BF
13D89DE097DBBF41822ED9D024E53B8C934CD724C77AB9CFAEEFF29FD98E6F5F
CB6AE4487A5D4A80E647C196C959E566611F3D3DDD82FC76CED53B6D65808ECE
93AB396A426FFE98AC981EC07FF9C9F11FDCDE3EBEB5E32EFE4C759CE736D623
8A30A82A4D427E94798EC8AFFCA55917E64ABEA99BADB29A9973FE2CDED18864
A8FB61732F9696D24E02DDA47D2F12ABE0D8968E130F05D2381BB7B5A93F3EC0
F4A7499D4C315EE89F4F2B8BC48247DBA1B1BE8ECA6CFFA12D32479B03A7CABB
30C4E638FC8774DAC873B3B30519DD0B72C08C430AB1F4591333028143BDCA4E
6041E41669928BE868B47F727C361E53A557D8CC22F1B206534D639576A49B6F
7632419CCBA76C97AC9E15925625D88E18FE4EFEFAF5A04E3182A6048338F301
F3A4A8572488CC3B5386DE0D772753A01B1D5C0C9D06FE4979B60215E01C32E0
006336EAD3C68F4E044856E474975C579BE1D2BB53241E1B1E1E95D3DD26CD67
2AD9F7F159286D1B07D913E0172E5CDCB8694F2F69A71F49118F1B9011CB6366
AA96CC429166B7A0533CEDD7B414A0DF9E6B0AD764B3236BA90CABB8E33CB80B
80451018368FBB41A25777930382B1A1A39D985F4436D030B6C77BA194AE0DDD
Domains
 majul.com
elx01.knas.systems
192-168-100-87.abcdefghijklmnopqrstuvwxyz012345.plex.direct
booking.msg.bluhotels.com
booking.msg.bluhotels.com
isns.net
xsharenode.com
stockme.top
krupskaya.com
m-onetrading-jp.com
thuocnam.tk
qxq.ddns.net
p3.adhitzads.com
attentionmagnet.top
gimmegimmejimmy.top
lodddd01.info
nemty10.hk
whatsthescore.top
mindbreaker.top
bussinesfroms.ru.com
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Recent Posts

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action
November 15, 2023
CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks
November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations
Get started
Learn more