The Hacker NewsTHN:EB7C479CB38E7CBB093373BF3F93970FInside Raccoon Stealer V2
Raccoon Stealer is back on the news again. US officials arrested Mark Sokolovsky, one of the malware actors behind this program. In July 2022, after several months of the shutdown, a Raccoon Stealer V2 went viral. Last week, the Department of Justice’s press release stated that the malware collected 50 million credentials.
This article will give a quick guide to the latest info stealer’s version.
What is Raccoon infostealer V2?
Raccoon Stealer is a kind of malware that steals various data from an infected computer. It’s quite a basic malware, but hackers have made Raccoon popular with excellent service and simple navigation.
In 2019, Raccoon infostealer was one of the most discussed malware. In exchange for $75 per week and $200 per month, cybercriminals sold this simple but versatile info stealer as a MaaS. The malware was successful in attacking a number of systems. In March 2022, however, threat authors ceased to operate.
An updated version of this malware was released in July 2022. As a result, Raccoon Stealer V2 has gone viral and gained a new name - RecordBreaker.
Raccoon v2’s tactics & techniques in ANY.RUN Sandbox
How to analyze Raccoon stealer V2
Execution process
|
What Raccoon malware does
—|—
Downloads WinAPI libraries
|
Uses kernel32.dll!LoadLibraryW
Gets WinAPI functions’ addresses
|
Uses kernel32.dll!GetProcAddress
Strings and C2 servers encryption
|
Encrypts with RC4 or XOR algorithm, can be no encryption at all, or combination of different option
Crash triggers
|
CIS countries locale, mutex
System/LocalSystem level privilege check
|
Uses Advapi32.dll!GetTokenInformation and Advapi32.dll!ConvertSidToStringSidW comparing StringSid with L “S-1-5-18”
Process enumeration
|
Uses the TlHelp32 API (kernel32.dll!CreateToolhelp32Snapshot to capture processes and kernel32.dll!Process32First / kernel32.dll!Process32Next).
Connecting to C2 servers
|
Creates a string:
machineId={machineguid}|{username}&configId={rc4_c2_key}
Then sends a POST request
User and system data collection
|
- the OS bitness
- information about RAM, CPU
- applications installed in the system
- cookies
- autofill data
- autofill form data
Sending of collected data
|
POST requests to C2.
Getting an answer from the C2
|
C2 sends “received”
Finishing operations
|
Takes a screenshot(s), releases the remaining allocated resources, unloads the libraries, and finishes its work
We have triaged multiple Raccoon stealer V2 samples, collected typical behavior activities, and briefly described its execution process.
Read deeper and more detailed Raccoon stealer 2.0 malware analysis. In the article, you can follow all steps and get a complete picture of the info stealer’s behavior. Besides this profound research, you get a chance to extract malware configuration by yourselves – copy the Python script of Raccoon stealer and unpack memory dumps to extract C&C servers and keys.
Raccoon v2 malware configuration
Where to analyze malware
Do you want to analyze malicious files and links? There is a fast and easy solution: get ready-made configurations in ANY.RUN online malware sandbox and investigate suspicious files inside and out. Try to crack any malware using an interactive approach:
> Write the “HACKERNEWS” promo code at [email protected] using your business email address and get 14 days of ANY.RUN premium subscription for free!
The ANY.RUN sandbox lets you analyze malware quickly, navigate through the research process easily, detect even sophisticated malware, and get detailed reports. Use smart tools and hunt malware successfully.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.