Pierluigi Paganini November 25, 2019

Crooks behind the Raccoon Stealer have adopted a simple and effective technique to circumvent popular anti-spam messaging gateways.

Cybercriminals behind the Raccoon Stealer have adopted a simple and effective technique to circumvent Microsoft and Symantec anti-spam messaging gateways.

The Raccoon stealer was first spotted in April, it was designed to steal victims’ credit card data, email credentials, cryptocurrency wallets, and other sensitive data.

Raccoon is offered for sale as a malware-as-a-service (MaaS) that implements an easy-to-use automated backend panel, operators also offer bulletproof hosting and 24/7 customer support in both Russian and English. The price of the Raccoon service is $200 per month to use.

The Raccoon stealer is written in C++ by Russian-speaking developers that initially promoted it exclusively on Russian-speaking hacking forums. The malware is now promoted on English-speeaking hacking forums, it works on both 32-bit and 64-bit operating systems.

The analysis of the logs for sale in the underground community allowed the experts to estimate that Raccoon infected over 100,000 users worldwide at the time of its discovery.

Researchers at Cofense recently observed attackers using this technique in a wave of business email compromise (BEC) attacks.

Threat actors are hiding the malware inside an .IMG file hosted on a Dropbox account under their control.

“Threat actors continue to exploit legitimate services to trick users, as seen in the latest campaign using Raccoon Stealer malware, aimed at a financial organization and delivered by a Dropbox-hosted .IMG file.” reads the analysis published by Cofense. “Users of the malware can distribute it in any way they deem fit. In this campaign, the actors chose to host the malicious .IMG file on a Dropbox share, which upon execution, drops Raccoon Stealer onto the victim machine.”

The attackers delivered a phishing email to the inbox of an employee of a financial institution, the message was using a theme of a wire transfer to trick victims into opening the Dropbox URL and downloading the malicious file.

According to Cofense, in the most recent campaign, the message was sent by a compromised email account and passed Symantec Email Security and Microsoft EOP gateways. Experts pointed out that the URL in the message was not removed or tampered with to the extent that it would prevent victims from clicking on it and downloading the payload.

Unlike past attacks, in the last campaign, attackers attempted to exploit the Microsoft Office remote code execution vulnerability (CVE-2017-8570).

Once the malware has infected the system, it will contact the C&C sending an HTTP POST that includes the “bot ID” and “configuration ID”. In turn, the C2 location responds with a JSON object explicitly including C2 data and payload locations for libraries and additional files.

“The payload URLs currently deliver a set of DLLs, as specified by the “attachment url” and “libraries” parameters, but future development could easily allow threat actors to use Racoon Stealer as a loader for other malware to generate additional income.” concludes Cofense.

“Given the variety of delivery options, Racoon Stealer could be a problem for organizations that focus too much on one infection vector.”

Pierluigi Paganini

(SecurityAffairs – Raccoon stealer, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]