The enhanced model of the Raccoon stealer-as-a-service platform, discovered to be bundled with up to date malware, is hidden in pirated software program the place it collects cryptocurrency cash and installs a software program dropper to unfold extra malware, in accordance with Threat Post.
The risk actors who used the Raccoon Stealer platform to commit varied cybercrimes have expanded their companies to incorporate extra instruments to entry a goal’s laptop and malware that permits distant entry to obtain knowledge. The research reveals that the malware transferred to the sufferer’s gadget can embrace malicious browser extensions, YouTube click on (rip-off bot), Djvu/Stop (a ransomware for residence customers), crypto-miners, and Clippers (crypto-stealing malware).
Stealer-as-a-service platforms are usually exploited by beginner hackers. This service permits you to take delicate data resembling login credentials, cookies, and different passwords that your goal’s browser may preserve. Recent analysis carried out by Sophos Labs found that the platform has been modified to incorporate new distribution networks and methods.
The use of cracked software program might compromise the whole system
Instead of inbox-based infections as earlier than, Raccoon Stealer now makes use of Google Search. Sophos claims that risk actors have mastered the optimization of malicious net pages for Google search outcomes. As a part of the marketing campaign, victims are provided software program piracy instruments resembling cracking software program or keygen purposes that promise to unlock licensed software program.
The research reveals the modus operandi of Raccoon Stealer, that usually begins with the obtain of an archived file. The file accommodates one other archive that’s protected by a password and a textual content doc with a password that’s later used within the an infection chain. After unpacking, the setup executable can simply bypass the malware scan as a result of it’s password protected. After opening the executable file, the following step is triggered, retrieving extra self-extracting installers.
It is estimated that greater than $13,200 in Bitcoin was stolen and $2,900 was generated from the victims’ gadgets by means of unlawful crypto mining
The builders of The Stealer have added signatures of self-extracting instruments resembling WinZIP SFX or 7Zip. Even if the archives can’t be extracted with these extraction instruments, it’s potential that the malware droppers have carried out so to stop unpacking with out exceptions, Sophos says.
Telegram and an RC4 encryption key are utilized by risk actors to disguise the Raccoon buyer’s configuration IDs. In order to speak with C2, raccoons want the handle of the C2 gate, the place C2 is a useful device used to exfiltrate browser-based knowledge and cryptocurrency wallets. The software is obfuscated with Crypto Obfuscato and is written in Visual Basic.NET.
Sophos found that since October 2020, the second payload of the Raccoon Stealer has been distributing 18 completely different malware variations. About $13,200 US price of bitcoin was stolen from victims through the Raccoon marketing campaign, in addition to $2,900 in cryptocurrency being generated utilizing victims’ computer systems, Sophos believes. The estimated price of operating the unlawful enterprise is $1,250.