Raccoon Stealer Malware Threat Intel Advisory

Advisory Type	Malware Intelligence
Malware Name	Raccoon
Malware Aliases	Mohazo, RaccoonStealer, Racealer
Malware Type	Infostealer
Affected OS	Windows

Executive Summary

Raccoon Stealer is a MaaS (Malware as a Service) that appeared in 2019 for the first time and is still an ongoing threat. Raccoon is advertised widely on hacking forums for a cheap price which makes it easily accessible for a lot of threat actors. Raccoon stealers mainly target users’ sensitive data including login credentials, credit card information, cryptocurrency wallets, and browser information including cookies, history and autofill. Raccoon stealer operators deliver their malware through malicious documents attached to phishing emails or through exploit kits used for malvertising.

Technical Details

The operators of the Raccoon stealer abuse ad networks, adding sneaky redirects to malicious pages. These pages are laced with exploit kits which then download the malware. Threat actors may also leverage malicious files attached to phishing emails, embedded with macros. This, in turn, downloads and executes the malware. Once the Raccoon stealer is injected into the system it targets all the applications that contain credentials. It dumps the credentials in a zip file and sends the zip file back to the C2 server of the attacker. CloudSEK Threat Intel Researchers have discovered an ongoing Raccoon stealer campaign on underground dark web forums. Threat actors are seen advertising and selling data stolen with the help of this malware.

Impact

Technical Impact

The malware is capable of:

Identifying applications including web browsers that use credentials. It dumps user sensitive data from these applications.
Sending stolen data back to the attacker’s C2 server.
Steal login credentials leading to other forms of targeted attacks.

Business Impact

It steals victims’ sensitive data including financial credentials
Privacy violation

Mitigation

Install the latest security patches and updates.
Use the latest AV, prevention and detection software.
Activate 2FA on personal/ business user accounts.
Avoid clicking on ads hosted on web pages.
Raise awareness against phishing campaigns.

Tactics, Techniques, and Procedures

Tactics	Techniques
Execution	T1059	Command and Scripting Interpreter
	T1129	Shared Modules
	T1204	User Execution
Defense Evasion	T1070.004	File Deletion
	T1218.011	Rundll32
	T1553.004	Install Root Certificate
Credential Access	T1003	OS Credential Dumping
Credential Access	T1552.001	Credentials In Files
Collection	T1114	Email Collection

Indicators of Compromise

IP	81.2.253.71	82.118.22.118
	172.67.158.196	80.92.206.44
	45.128.184.198	74.119.195.101
	35.224.232.32	185.212.131.90
	185.102.136.27	185.212.131.90
	176.103.59.173	195.54.33.200
	185.183.162.147	66.248.206.71
	104.21.66.99	185.234.247.219
	35.246.139.134	74.119.195.168
	35.228.60.103	74.119.195.166
Hashes	546352389C393711D61EAB54E5D32B1BDD39C194FAE82249B8A3F721A45B452C
	5A2F2C14AE6FF0C58E2C7B04B53BAA83801B069479AF2E5605A012A110883742
	0A7DAC9478C1DBFE7A2A5345DC63F5ACC0FF956267FAA2FB3B6E93AA2F997709
	46C0FCED58C4190739FDB56A3914BCC7B8BF9A2FD8A1AD480FFFA4D05C5A620D
	2D552CAC3366827F794ADB7C3FA2EBA9CF57F070521FF1C4617FECD392CC323C
	2674B15B19357C51AFAC8B261DF00D8AFBFD2900CD5B85BFDA6BFE19CA5940BF
	13D89DE097DBBF41822ED9D024E53B8C934CD724C77AB9CFAEEFF29FD98E6F5F
	CB6AE4487A5D4A80E647C196C959E566611F3D3DDD82FC76CED53B6D65808ECE
	93AB396A426FFE98AC981EC07FF9C9F11FDCDE3EBEB5E32EFE4C759CE736D623
	8A30A82A4D427E94798EC8AFFCA55917E64ABEA99BADB29A9973FE2CDED18864
	A8FB61732F9696D24E02DDA47D2F12ABE0D8968E130F05D2381BB7B5A93F3EC0
	F4A7499D4C315EE89F4F2B8BC48247DBA1B1BE8ECA6CFFA12D32479B03A7CABB
	30C4E638FC8774DAC873B3B30519DD0B72C08C430AB1F4591333028143BDCA4E
	6041E41669928BE868B47F727C361E53A557D8CC22F1B206534D639576A49B6F
	7632419CCBA76C97AC9E15925625D88E18FE4EFEFAF5A04E3182A6048338F301
	F3A4A8572488CC3B5386DE0D772753A01B1D5C0C9D06FE4979B60215E01C32E0
	006336EAD3C68F4E044856E474975C579BE1D2BB53241E1B1E1E95D3DD26CD67
	2AD9F7F159286D1B07D913E0172E5CDCB8694F2F69A71F49118F1B9011CB6366
	AA96CC429166B7A0533CEDD7B414A0DF9E6B0AD764B3236BA90CABB8E33CB80B
	80451018368FBB41A25777930382B1A1A39D985F4436D030B6C77BA194AE0DDD
Domains	majul.com
	elx01.knas.systems
	192-168-100-87.abcdefghijklmnopqrstuvwxyz012345.plex.direct
	booking.msg.bluhotels.com
	booking.msg.bluhotels.com
	isns.net
	xsharenode.com
	stockme.top
	krupskaya.com
	m-onetrading-jp.com
	thuocnam.tk
	qxq.ddns.net
	p3.adhitzads.com
	attentionmagnet.top
	gimmegimmejimmy.top
	lodddd01.info
	nemty10.hk
	whatsthescore.top
	mindbreaker.top
	bussinesfroms.ru.com

Advisory Type

Malware Name

Malware Aliases

Malware Type

Affected OS

Tactics

Techniques

Execution

Defense Evasion

Credential Access

Collection

IP

Hashes

Domains

SwiftSlicer: a Malware Developed During Russia-Ukraine War

Analysis of Faust Ransomware, a Variant of the Phobos Ransomware Family