Racoon Stealer Leverages Telegram for C2

-

Introduction

Raccoon Stealer is a fairly new tool that is able to extract passwords, browser cookies, email credentials, plugin/extension data, and crypto wallet files. The malware can download and execute arbitrary files through command-and-control and has become a very popular tool of choice as of late.

According to Avast, Raccoon Stealer has been observed being distributed through downloaders like GCleaner and Buer Loader since 2019, and has seen multiple updates since original release.

In the recent research paper provided by the Avast team, analysts point out that their samples of the malware appeared to be distributed in the form of game cheats, patches, game mods, or other popular software. Raccoon Stealer can be used by anyone who buys it so the scope of delivery themes is endless.

Technical Analysis (Shortened)

Raccoon Stealer is written in C/C++ via Visual Studio. The malware does several checks on an infected machine before executing the main payload. Once of these checks includes determining the locale of the victim. If the machine uses the following locale set, the malware will not work:

  • Russia
  • Ukrainian
  • Belarusian
  • Kazakh
  • Kyrgyz
  • Armenian
  • Tajik
  • Uzbek

As for C2 communications, the stealer has four critical values hardcoded into every sample analyzed.


First, the MAIN_KEY is decrypted. The Telegram Gate URLs are decoded and decrypted and stored as a value in the sample. Through Base64 decoding and then RC4 decrypting the binary data using MAIN_KEY, the Telegram Gates are uncovered in plaintext.


The Raccoon Stealer requests a Telegram Gate, which will return a webpage containing a channel name and a status in Base64. The Avast team notes in their research that the prefix is always five characters long and the postfix is always six characters long. They are removed and it becomes another Base64 to decode. This, will result in an encrypted C2 URL.



The stealer uses the TELEGRAM_KEY (a string) as an RC4 key to decrypt the C2 URL. In this example, the C2 decrypted to the following (sanitized): hxxp://91.219.236[.]18/

A query is made by the malware with PC information and the BotID. The string is RC4 encrypted using a MAIN_KEY and Base64 encoding.

The C2 receives a POST request containing the data and sends back a Base64 and MAIN_KEY encrypted response signaling that the Telegram infrastructure is the core components of storing C2 addresses.

Additional information regarding the prevalence of Raccoon Stealer and Avast's conclusion can be read here.


Comments

Post a Comment

Popular posts from this blog

-
Image
ESET's APT Activity Report Q4 2023-Q1 2024 summarizes observations of various advanced persistent threat (APT) groups documented by ESET researchers between October 2023 and March 2024. Their observations highlight the broader threat landscape investigated during this period of time and details trends, developments and tooling used by these threat actors. The public report proclaims to contain a fraction of what private ESET customers receive. China Chinese-aligned cyber espionage groups have traditionally targeted public facing applications for obtaining initial access on a target network. In many campaigns investigated by ESET and others, the groups leveraged one-day vulnerabilities against a range of appliances and software including VPNs, firewalls, Confluence, Exchange, and others. See ESETs report linked below for their detailed analysis on Chinese threat activity.  Middle East According to ESET's research, a potentially Iranian-aligned threat group BladedFeline continued...
Read more

Russian GRU Unit 29155 recent operations

-
Image
Background Russian GRU military intelligence Unit 29155 (aka Cadet Blizzard, Ember Bear, FrozenVista, UNC2589) is a covert subunit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), primarily tasked with conducting high-stakes and clandestine operations abroad. Established under the GRU, Unit 29155 gained public attention due to its involvement in activities that align with Russia's asymmetric warfare objectives, particularly in Europe, Ukraine, and NATO-affiliated regions. Unit 29155 operates in several domains, from traditional espionage and sabotage to cyber operations. Figure 1 WANTED: GRU Unit 29155 [1] Unit 29155 has significantly intensified operations since 2020, pivoting from covert actions in Europe toward a greater emphasis on cyber operations with a focus on undermining Ukraine and NATO allies through espionage, data manipulation, and sabotage. Primary TTPs Espionage and Data Theft Unit 29155 conducts extensive espionage ca...
Read more
-
Image
Microsoft recently released their findings after a lengthy investigation into activity conducted by the Russian state-sponsored APT28 group using a unique tool for privilege escalation and credential harvesting on victim networks. Microsoft refers to the custom tool as GooseEgg and claim that the group has been observed leveraging this tool since at least June 2020. GooseEgg The custom toolset leverages CVE-2023-38208 in the Windows Print Spooler service which changes a JavaScript constraints file and executes it with SYSTEM permissions. Based on their findings, Microsoft believes GooseEgg is deployed after initial access to elevate access to targeted systems with the end goal of harvesting credentials and data. Unsurprisingly, targeting includes Ukrainian, Western European and North American entities across several sectors including government, non-government, education and transportation. After initial access of victim device, researchers observed APT28 deploying GooseEgg to escalate...
Read more