decoded.avast.io Open in urlscan Pro
34.111.249.39 Public Scan

Back to summary

URL:
https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram/
Submission: On August 08 via api (August 8th 2024, 2:04:42 pm UTC) from US — Scanned from DE

Form analysis
2 forms found in the DOM

GET https://decoded.avast.io/

<form class="search-form" action="https://decoded.avast.io/" method="get">
  <input name="s" type="text" value="" placeholder="Type here to search...">
  <button type="submit">Search</button>
</form>

GET https://decoded.avast.io/

<form class="search-form" action="https://decoded.avast.io/" method="get">
  <input name="s" type="text" value="" placeholder="Type here to search...">
  <button type="submit">Search</button>
</form>

Text Content

* Mobile
* Network
* PC
* IoT
* Careers

* Menu

* Search

* Menu

RACCOON STEALER: “TRASH PANDA” ABUSES TELEGRAM

by Vladimir MartyanovMarch 9, 20227 min read

We recently came across a stealer, called Raccoon Stealer, a name given to it by
its author. Raccoon Stealer uses the Telegram infrastructure to store and update
actual C&C addresses.

Raccoon Stealer is a password stealer capable of stealing not just passwords,
but various types of data, including:

* Cookies, saved logins and forms data from browsers
* Login credentials from email clients and messengers
* Files from crypto wallets
* Data from browser plugins and extension
* Arbitrary files based on commands from C&C

In addition, it’s able to download and execute arbitrary files by command from
its C&C. In combination with active development and promotion on underground
forums, Raccoon Stealer is prevalent and dangerous.

The oldest samples of Raccoon Stealer we’ve seen have timestamps from the end of
April 2019. Its authors have stated the same month as the start of selling the
malware on underground forums. Since then, it has been updated many times.
According to its authors, they fixed bugs, added features, and more.

DISTRIBUTION

We’ve seen Raccoon distributed via downloaders: Buer Loader and GCleaner.
According to some samples, we believe it is also being distributed in the form
of fake game cheats, patches for cracked software (including hacks and mods for
Fortnite, Valorant, and NBA2K22), or other software. Taking into account that
Raccoon Stealer is for sale, it’s distribution techniques are limited only by
the imagination of the end buyers. Some samples are spread unpacked, while some
are protected using Themida or malware packers. Worth noting is that some
samples were packed more than five times in a row with the same packer!

TECHNICAL DETAILS

Raccoon Stealer is written in C/C++ and built using Visual Studio. Samples have
a size of about 580-600 kB. The code quality is below average, some strings are
encrypted, some are not.

Once executed, Racoon Stealer starts checking for the default user locale set on
the infected device and won’t work if it’s one of the following:

* Russian
* Ukrainian
* Belarusian
* Kazakh
* Kyrgyz
* Armenian
* Tajik
* Uzbek

C&C COMMUNICATIONS

The most interesting thing about this stealer is its communication with C&Cs.
There are four values crucial for its C&C communication, which are hardcoded in
every Raccoon Stealer sample:

* MAIN_KEY. This value has been changed four times during the year.
* URLs of Telegram gates with channel name. Gates are used not to implement a
complicated Telegram protocol and not to store any credentials inside samples
* BotID – hexadecimal string, sent to the C&C every time
* TELEGRAM_KEY – a key to decrypt the C&C address obtained from Telegram Gate

Let’s look at an example to see how it works:
447c03cc63a420c07875132d35ef027adec98e7bd446cf4f7c9d45b6af40ea2b unpacked to:
f1cfcce14739887cc7c082d44316e955841e4559ba62415e1d2c9ed57d0c6232:

1. First of all, MAIN_KEY is decrypted. See the decryption code in the image
below:

In this example, the MAIN_KEY is jY1aN3zZ2j. This key is used to decrypt
Telegram Gates URLs and BotID.

2. This example decodes and decrypts Telegram Gate URLs. It is stored in the
sample as:
Rf66cjXWSDBo1vlrnxFnlmWs5Hi29V1kU8o8g8VtcKby7dXlgh1EIweq4Q9e3PZJl3bZKVJok2GgpA90j35LVd34QAiXtpeV2UZQS5VrcO7UWo0E1JOzwI0Zqrdk9jzEGQIEzdvSl5HWSzlFRuIjBmOLmgH/V84PCRFevc40ZuTAZUq+q1JywL+G/1xzXQdYZiKWea8ODgaN+4B8cT3AqbHmY5+6MHEBWTqTsITPAxKdPMu3dC9nwdBF3nlvmX4/q/gSPflYF7aIU1wFhZxViWq2
After decoding Base64 it has this form:

Decrypting this binary data with RC4 using MAIN_KEY gives us a string with
Telegram Gates:

3. The stealer has to get it’s real C&C. To do so, it requests a Telegram Gate,
which returns an HTML-page:

Here you can see a Telegram channel name and its status in Base64:
e74b2mD/ry6GYdwNuXl10SYoVBR7/tFgp2f-v32
The prefix (always five characters) and postfix (always six characters) are
removed and it becomes mD/ry6GYdwNuXl10SYoVBR7/tFgp The Base64 is then decoded
to obtain an encrypted C&C URL:

The TELEGRAM_KEY in this sample is a string 739b4887457d3ffa7b811ce0d03315ce and
the Raccoon uses it as a key to RC4 algorithm to finally decrypt the C&C URL:
http://91.219.236[.]18/

4. Raccoon makes a query string with PC information (machine GUID and user
name), and BotID
5. Query string is encrypted with RC4 using a MAIN_KEY and then encoded with
Base64.
6. This data is sent using POST to the C&C, and the response is encoded with
Base64 and encrypted with the MAIN_KEY. Actually, it’s a JSON with a lot of
parameters and it looks like this:

Thus, the Telegram infrastructure is used to store and update actual C&C
addresses. It looks quite convenient and reliable until Telegram decides to take
action.

ANALYSIS

THE PEOPLE BEHIND RACCOON STEALER

Based on our analysis of seller messages on underground forums, we can deduce
some information about the people behind the malware. Raccoon Stealer was
developed by a team, some (or maybe all) members of the team are Russian native
speakers. Messages on the forum are written in Russian, and we assume they are
from former USSR countries because they try to prevent the Stealer from
targeting users in these countries.

Possible names/nicknames of group members may be supposed based on the analysis
of artifacts, found in samples:

* C:\Users\a13xuiop1337\
* C:\Users\David\

PREVALENCE

Raccoon Stealer is quite prevalent: from March 3, 2021 - February 17, 2022 our
systems detected more than 25,000 Raccoon-related samples. We identified more
than 1,300 distinct configs during that period.

Here is a map, showing the number of systems Avast protected from Raccoon
Stealer from March 3, 2021 - February 17, 2022. In this time frame, Avast
protected nearly 600,000 Raccoon Stealer attacks.

The country where we have blocked the most attempts is Russia, which is
interesting because the actors behind the malware don’t want to infect computers
in Russia or Central Asia. We believe the attacks spray and pray, distributing
the malware around the world. It’s not until it makes it onto a system that it
begins checking for the default locale. If it is one of the language listed
above, it won’t run. This explains why we detected so many attack attempts in
Russia, we block the malware before it can run, ie. before it can even get to
the stage where it checks for the device’s locale. If an unprotected device that
comes across the malware with its locale set to English or any other language
that is not on the exception list but is in Russia, it would stiIl become
infected.

Screenshot with claims about not working with CIS

TELEGRAM CHANNELS

From the more than 1,300 distinct configs we extracted, 429 of them are unique
Telegram channels. Some of them were used only in a single config, others were
used dozens of times. The most used channels were:

* jdiamond13 – 122 times
* jjbadb0y – 44 times
* nixsmasterbaks2 – 31 times
* hellobyegain – 25 times
* h_smurf1kman_1 – 24 times

Thus, five of the most used channels were found in about 19% of configs.

MALWARE DISTRIBUTED BY RACCOON

As was previously mentioned, Raccoon Stealer is able to download and execute
arbitrary files from a command from C&C. We managed to collect some of these
files. We collected 185 files, with a total size 265 Mb, and some of the groups
are:

* Downloaders – used to download and execute other files
* Clipboard crypto stealers – change crypto wallet addresses in the clipboard –
very popular (more than 10%)
* WhiteBlackCrypt Ransomware

SERVERS USED TO DOWNLOAD THIS SOFTWARE

We extracted unique links to other malware from Raccoon configs received from
C&Cs, it was 196 unique URLs. Some analysis results:

* 43% of URLs have HTTP scheme, 57% – HTTPS.
* 83 domain names were used.
* About 20% of malware were placed on Discord CDN
* About 10% were served from aun3xk17k[.]space

CONCLUSION

We will continue to monitor Raccoon Stealer’s activity, keeping an eye on new
C&Cs, Telegram channels, and downloaded samples. We predict it may be used wider
by other cybercrime groups. We assume the group behind Raccoon Stealer will
further develop new features, including new software to steal data from, for
example, as well as bypass protection this software has in place.

IOC

447c03cc63a420c07875132d35ef027adec98e7bd446cf4f7c9d45b6af40ea2b
f1cfcce14739887cc7c082d44316e955841e4559ba62415e1d2c9ed57d0c6232

Tagged asmalware, Malware Analysis, Racoon, reversing, stealer, telegram, trash
panda
Share:XFacebook

decoded.avast.io Open in urlscan Pro 34.111.249.39 Public Scan

Form analysis 2 forms found in the DOM

GET https://decoded.avast.io/

GET https://decoded.avast.io/

Text Content

decoded.avast.io Open in urlscan Pro
34.111.249.39 Public Scan

Form analysis
2 forms found in the DOM