threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/raccoon-stealer-telegram/178881/
Submission: On March 17 via api from AU — Scanned from DE
Submission: On March 17 via api from AU — Scanned from DE
Form analysis 4 forms found in the DOM
POST /raccoon-stealer-telegram/178881/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/raccoon-stealer-telegram/178881/#gf_5">
<div class="gform_body gform-body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_8">Your name</label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"> </div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_1">Your e-mail address<span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice gchoice_5_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice gchoice_5_5_1">
<input class="gfield-choice-input" name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Comments</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description_5_10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button screen-reader-text" value="Subscribe"
onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" disabled="disabled"
style="display: none;"> <input type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1647544738711">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="178881" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="0a5946cc51"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="6b5DvqzfX2eZsxNtffreUQIjB" name="svi3ix0vpzw4xKYaKlvEYrbnm">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
try {
grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
} catch (error) {
/*possible duplicated instances*/ }
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_2" name="ak_js" value="1647544738751">
<script>
document.getElementById("ak_js_2").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
* Your name
* Your e-mail address*
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Comments
This field is for validation purposes and should be left unchanged.
Δ
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Podcasts
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Malware Posing as Russia DDoS Tool Bites Pro-Ukraine HackersPrevious article
* Russia Issues Its Own TLS CertsNext article
RACCOON STEALER CRAWLS INTO TELEGRAM
Author: Elizabeth Montalbano
March 11, 2022 10:03 am
3:30 minute read
Write a comment
Share this article:
*
*
The credential-stealing trash panda is using the chat app to store and update C2
addresses as crooks find creative new ways to distribute the malware.
A credential stealer that first rose to popularity a couple of years ago is now
abusing Telegram for command-and-control (C2). A range of cybercriminals
continue to widen its attack surface through creative distribution means like
this, researchers have reported.
Raccoon Stealer, which first appeared on the scene in April 2019, has added the
ability to store and update its own actual C2 addresses on Telegram’s
infrastructure, according to a blog post published by Avast Threat Labs this
week. This gives them a “convenient and reliable” command center on the platform
that they can update on the fly, researchers said.
The malware – believed to be developed and maintained by Russia-affiliated
cybercriminals – is at its core a credential stealer but is capable of a range
of nefarious activity. It can steal not only passwords but also cookies, saved
logins and forms data from browsers, login credentials from email clients and
messengers, files from crypto wallets, data from browser plugins and extensions,
and arbitrary files, based on commands from its C2.
“In addition, it’s able to download and execute arbitrary files by command from
its C2,” Avast Threat Labs researcher Vladimir Martyanov wrote in the post.
This, in combination with active development and promotion on underground
forums, makes Raccoon Stealer “prevalent and dangerous,” he said.
Upon its release in 2019, cybercriminals quickly adopted the malware because of
its user-friendly malware-as-a-service (MaaS) model, which has given them a
quick and easy way to make money by stealing sensitive data.
CREATIVE DISTRIBUTION
Early on, attackers were seen delivering Raccoon Stealer via an .IMG file hosted
on a hacker-controlled Dropbox account in business email compromise (BEC)
campaigns that targeted financial institutions and other organizations.
More recently, Avast Threat Labs researchers observed a number of new and
creative ways attackers are distributing Raccoon Stealer, Martyanov said.
“Taking into account that Raccoon Stealer is for sale, its distribution
techniques are limited only by the imagination of the end buyers,” he wrote.
In addition to being spread by two loaders – Buer Loader and GCleaner –
attackers also are distributing Raccoon Stealer via fake game cheats, patches
for cracked software – including hacks and mods for Fortnite, Valorant and
NBA2K22 – or other software, Martyanov wrote.
Cybercriminals also are taking care to try to evade detection by packing the
credential stealer, using Themida or malware packers, with some samples observed
being packed more than five times in a row with the same packer, he added.
ABUSING C2 IN TELEGRAM
The report detailed how the latest version of Raccoon Stealer communicates with
C2 within Telegram: There are four “crucial” values for its C2 communication,
which are hardcoded in every Raccoon Stealer sample, according to the post. They
are:
* -MAIN_KEY, which has been changed four times during the year;
* -URLs of Telegram gates with a channel name;
* -BotID, a hexadecimal string, sent to the C2 every time; and
* -TELEGRAM_KEY, a key to decrypt the C2 address obtained from Telegram Gate.
To hijack Telegram for its C2, the malware first decrypts MAIN_KEY, which it
uses to decrypt Telegram gates URLs and BotID. The stealer then uses Telegram
gate to get to its real C2 using a string of queries that eventually allow it to
use the Telegram infrastructure to store and update actual C2 addresses,
Martyanov wrote.
By downloading and executing arbitrary files from a command from C2, the stealer
also is able to distribute malware. Avast Threat Labs collected about 185 files,
with a total size of 265 megabytes – including downloaders, clipboard crypto
stealers and the WhiteBlackCrypt ransomware – that were being distributed by
Raccoon Stealer.
AVOIDING RUSSIAN ENTITIES
Once executed, Racoon Stealer starts checking for the default user locale set on
the infected device and won’t work if it’s one of the following: Russian,
Ukrainian, Belarusian, Kazakh, Kyrgyz, Armenian, Tajik or Uzbek. This is likely
because the developers themselves are Russian, researchers believe.
However, Avast Threat Labs found that in recent activity, “the country where we
have blocked the most attempts is Russia, which is interesting because the
actors behind the malware don’t want to infect computers in Russia or Central
Asia,” Martyanov wrote.
This could be because “the attacks spray and pray, distributing the malware
around the world,” he noted. The malware doesn’t check for the location of the
user until it actually reaches a device; if it finds that the device is located
in a region developers don’t want to target, it won’t run.
“This explains why we detected so many attack attempts in Russia; we block the
malware before it can run, i.e. before it can even get to the stage where it
checks for the device’s locale,” Martyanov wrote. “If an unprotected device that
comes across the malware with its locale set to English or any other language
that is not on the exception list but is in Russia, it would still become
infected.”
Moving to the cloud? Discover emerging cloud-security threats along with solid
advice for how to defend your assets with our FREE downloadable eBook, “Cloud
Security: The Forecast for 2022.” We explore organizations’ top risks and
challenges, best practices for defense, and advice for security success in such
a dynamic computing environment, including handy checklists.
Write a comment
Share this article:
* Malware
* Web Security
SUGGESTED ARTICLES
MISCONFIGURED FIREBASE DATABASES EXPOSING DATA IN MOBILE APPS
Five percent of the databases are vulnerable to threat actors: It’s a gold mine
of exploit opportunity in thousands of mobile apps, researchers say.
March 17, 2022
REPORTING MANDATES TO CLEAR UP FEDS’ HAZY LOOK INTO THREAT LANDSCAPE – PODCAST
It’s about time, AttackIQ’s Jonathan Reiber said about 24H/72H report deadlines
mandated in the new spending bill. As it is, visibility into adversary behavior
has been muck.
March 17, 2022
‘CRYPTOROM’ CRYPTO-SCAM IS BACK VIA SIDE-LOADED APPS
Scammers are bypassing Apple’s App Store security, stealing thousands of
dollars’ worth of cryptocurrency from the unwitting, using the TestFlight and
WebClips programs.
March 16, 2022
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
Δ
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* THE UNCERTAIN FUTURE OF IT AUTOMATION
March 8, 2022
* 6 CYBER-DEFENSE STEPS TO TAKE NOW TO PROTECT YOUR COMPANY
February 25, 2022
1
* THE HARSH TRUTHS OF CYBERSECURITY IN 2022, PART II
February 24, 2022
2
* 3 TIPS FOR FACING THE HARSH TRUTHS OF CYBERSECURITY IN 2022, PART I
February 9, 2022
* ‘LONG LIVE LOG4SHELL’: CVE-2021-44228 NOT DEAD YET
February 4, 2022
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
Denso, supplier to key automotive companies like Toyota, Mercedes-Benz and Ford
confirmed Monday that it was the ta… https://t.co/yriwJadhRA
2 days ago
Follow @threatpost
NEXT 00:02 01:22 360p 720p HD 1080p HD Auto (360p) About Connatix V154690 Closed
Captions About Connatix V154690
1/1 Skip Ad Continue watching after the ad Visit Advertiser websiteGO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2022 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE
Notifications