- 15/2023
- High
Raccoon is a Trojan malware written in C/C++ that steals information and cryptocurrency from infected users. It is being used as Malware-as-a-service (MaaS) on underground forums by Ukrainian-speaking sellers.
Raccoon enables threat actors to steal sensitive information, including credit card details, home addresses, phone numbers, email accounts, and login credentials from infected systems.
The Tactics and Techniques of Raccoon Stealer:
• Raccoon Malware is typically distributed through phishing emails or malicious websites that use social engineering tactics to trick users into downloading or installing the malware.
• Upon execution, Raccoon sends a request to its C&C server with (machine Id, user, and config Id) to get the configuration file.
• The C&C server returns a JSON file that contains the configuration for the stealer functionalities such as targeted applications and the token used for data exfiltration.
• Raccoon begins to steal sensitive information from the infected machine and store it in the following files:
o %TEMP%\passwords.txt
o %TEMP%\CC.txt
o %TEMP%\chrome_autofill.txt
o %TEMP%\chrome_cookie.txt
o %TEMP%\firefox_cookie.txt
o %TEMP%\outlook.txt
Additionally, the Raccoon malware can capture screenshots from the infected system, as per its configuration file, and save them in the %TEMP%\screen.png location.
• Raccoon malware uses fileless execution techniques to evade detection and persist on an infected machine.
• Collected information is compressed into a zip file, encoded in Base64 and RC4, and transmitted to a C&C server via an HTTP POST request with the
TOKEN sent before with the configuration file.
• After Data Exfiltration, Raccoon deletes itself from the infected machine using the following command:
o cmd.exe \/C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del \/f \/q “%s”
It should be highlighted that the mentioned malware has dynamic IOCs that may be changed over time therefore immediate action must be taken.
Indicators of Compromise
Indicators of compromise will be shared with EG-FinCIRT’s Constituents
Mitigations
• Search for existing signs of the indicated IOCs in your environment.
• Block all URL and IP-based IOCs at the organization’s security devices.
• Implement network segmentation, such that all machines on your network are not accessible from every other machine.
• If remote access is required, use a VPN with vendor best practices multi-factor authentication, password audits, precise access control, and actively monitoring remote accesses.
• Users logged into remote access services should have limited privileges for the rest of the corporate network.
• Administrators should adopt multi-factor authentication and use a separate administrative account from their normal operational account.
• Conduct cybersecurity awareness training for End- users.
• Ensure anti-virus software and associated files are up to date.
• Implement application whitelisting, which only allows systems to execute programs known and permitted by the organization’s security policy.
• Backup your data using different backup destinations, including Tape drives.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
• Install updates/patches operating systems, software, and firmware as soon as updates/patches are released.
• Refrain from opening untrusted links and email attachments without verifying their authenticity.
• Disable browser ‘Save Password’ functionality.
References
- Egyptian Financial Computing Incident Response Team (EG-FinCIRT)