New Raccoon Stealer uses Google Cloud Services to evade detection

Pierluigi Paganini April 01, 2020

Researchers found a piece of Raccoon Stealer that abuse of Google Cloud Services and leverages multiple delivery techniques.

Racoon malware (aka Legion, Mohazo, and Racealer) is an info-stealer that recently appeared in the threat landscape that is advertised in hacking forums.

The malware is cheap compared to similar threats, it is able to steal sensitive data from about 60 applications, including (browsers, cryptocurrency wallets, email and FTP clients).

The Raccoon stealer was first spotted in April 2019, it was designed to steal victims’ credit card data, email credentials, cryptocurrency wallets, and other sensitive data.

Raccoon is offered for sale as a malware-as-a-service (MaaS) that implements an easy-to-use automated backend panel, operators also offer bulletproof hosting and 24/7 customer support in both Russian and English. The price of the Raccoon service is $200 per month to use.

The Raccoon stealer is written in C++ by Russian-speaking developers that initially promoted it exclusively on Russian-speaking hacking forums. The malware is now promoted on English-speeaking hacking forums, it works on both 32-bit and 64-bit operating systems.


According to an analysis of the logs for sale in the underground community dated February 2020, Raccoon infected over 100,000 users worldwide at the time of its discovery.

The list of targeted applications includes cryptocurrency apps for major currencies (Electrum, Ethereum, Exodus, Jaxx, and Monero), popular browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, Internet Explorer, Opera, Vivaldi, Waterfox, SeaMonkey, UC Browser) and email client like Thunderbird, Outlook, and Foxmail.

The service is offered at a price that ranged from US$75 per week to $200 per month.

The malware is currently distributed via exploit kits, phishing campaigns, and bundled with other malware. The campaign analyzed by Trend Micro used the exploit kits Fallout and Rig, its characteristic was the use of Google Drive to evade detection.

“Once the Raccoon malware infects a machine, it connects to a Google Drive URL to decrypt the actual C&C server. The format of the URL is hxxp://{IP}/gate/log.php, which logs the computer configuration information. Then, it will receive a JSON-formatted file containing the location dependencies. Next, it will connect to URL hxxp://{IP}/file_handler/file.php for data exfiltration.” reads the analysis published by Trend Micro. “Finally, it downloads FoxMail-like components from /gate/ and a SQLite library for parsing the browser database from hxxp://{IP}/gate/sqlite3.dll.”

The researchers identified 67 IP addresses used as C2 servers, many of them associated with Google Cloud Services (i.e. 176[.]223[.]143[.]5).

The malware was distributed also via malspam emails, the messages used an attachment that drops the Raccoon malware (TrojanSpy.Win32.RACEALER.M) and their content claimed that the recipient’s friend had their email hacked. The messages attempt to blackmail the recipient demanding money in exchange for the stolen sensitive information they claim to have stolen.

Since April 2019, experts already detected more than 100,000 raccoon related events, with a peak in detections in July 2019. Experts identified over 3,000 unique binary samples of the Raccoon “Racestealer” stealer since the second quarter of 2019, they pointed out that operators behind the MaaS continue to release new versions of the malware.

The most affected countries were India and Japan, along with the US, Colombia, Canada, Mexico, Bolivia, and Peru.

“The current activity of the Raccoon malware seems to indicate that its development and use by threat actors will continue. The next best move for its creators would likely be to improve and fix some of its bugs, and then add new techniques to its relatively basic repertoire.” concludes Trend Micro.

“As creators work on developing Raccoon further, threat actors who have bought its services could be planning or deploying attacks using the version currently available in the underground market. Organizations should remain wary of the Raccoon malware and prepare defenses that take cues from the multiple deployment methods Raccoon has been known to employ.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Raccoon, malware)

[adrotate banner=”5″]

[ banner=”13″]

you might also like

leave a comment